68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
Size

439KB
MD5

036839678eccd8550aa0a5d128ddad90
SHA1

548c4f64da00bf6800c12bb6b0039a438fd9af51
SHA256

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60
SHA512

9a99b577ddbda33b66ab941c09722d019616174c559dc4c256aa811d380817c20e2a930763131b04abba01419a4135528812905918ae18922b2024e63c1fdaf6
SSDEEP

6144:it03a62hzpSNxV2qcJVLNyTiY6wDyIJ2r/bKrvuZqMw6y:Os52hzpHq8eTi30yIQrDKrvuZq7

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe

pid	process
3520	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
3416	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
3708	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
640	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
1012	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
1448	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
4992	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
772	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
440	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
1576	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
1716	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
2616	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
5004	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
4888	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
776	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
3132	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
4608	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
2716	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
64	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
1116	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
4616	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
4908	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
4628	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
4656	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
1604	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe

Modifies registry class 54 IoCs

Processes:

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 043dae9e51fd7172	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe

C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
"C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3708

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1012

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
10⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:772

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
11⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:440

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
12⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
13⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
14⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
15⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
16⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
17⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
18⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3132

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
19⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
20⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
21⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:64

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
22⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
23⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4616

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
24⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4908

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
25⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4628

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
26⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4656

\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe
c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe
27⤵
- Executes dropped EXE
- Modifies registry class
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
Filesize
440KB

MD5
93b3491ba6f211021992a452cfc4eeae

SHA1
289ece1162ce51dca90a4d671a30f4b0770b59ff

SHA256
90d2ffe5b7bb2df5bca2c94fc7b5565f00b54adb42b8e327c7669b2eab590ba3

SHA512
bbcf6d9c68c974405a76bcd1a2be7667176cf7aaaafea02586914b405634e2779b386c759c91660e578283bfed556533144ef21f3cc4de77cf39dbe8dd1e411e

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
Filesize
441KB

MD5
9092e9c9c9037d72ceafdd78691312b2

SHA1
ed08e103bc64f397695900cd4d53e985d74cc148

SHA256
709d6930329a3fac90b35709f2a5525d401a4ac5f3eaadd0780e0ab7c42b4e75

SHA512
86d4dcb4b7c68fde481c2118e2a68996888728fee7e7c0de7a4e899a995c4ff4234e9b1d34ba2da7d763c14de45d671dd44352e5689cd6fd0bf799c7c1a760f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
Filesize
441KB

MD5
ae0aefffc056b0c839f52f507d79671e

SHA1
068f263568e6f3759f43d5842792ac589cf24f1b

SHA256
149bc7be51a9b8792cdf1fff75dd595f6ce8ec0f281216cc22d4364d295dce56

SHA512
268b6e9fcc946241530d23d5ff501c35e1de7839a0720af96d4e19308ef7c2fb52a1b6d9199ce026bc99e44d2ed3c46acccf945e8c3b00b75366373ed4e34350

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
Filesize
441KB

MD5
78080d50f7b962ab62ab12270289f966

SHA1
9b51b005fb24a32110b3986cdc44efafda836317

SHA256
c461efc30d1ee3851b7cda346e93f3e76b194a50e1c9688765e73011a53cc83a

SHA512
8443a08b56b7af1a8f4a928e9a5fbc1a9ea9f42d4c3def4ac48cb92154ee2173cc92aee4d98ec86f99424213448ea51acacf7c118799b3effc9a9589c56c2d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
Filesize
442KB

MD5
5612d464bc120d02eb7ff6868f7508d3

SHA1
9f91c5323dcd4d789c3c30f4c57b28f19eabc7bd

SHA256
c32f39bce96c87016a6724cde695ed78f5135fd341573bd5cba9b419a7d906a9

SHA512
5b94ed4212456f3638ffabe9b50de1dcc82e720278f9176138d43d4576c2f2c51ec1399ac4b55f34ba28c1eefe7f1cabaf6145b2f7a2af31cde7354c27e33ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
Filesize
443KB

MD5
0667aaf1c2cc6fddfa77b6bf5954a471

SHA1
1bc59ef03dc7e88b80d283bd559a4bf81e51eefe

SHA256
bde4f89b487fec0d92a9f8fbb27891855c79318001b42ce4dcd845a35b9812d2

SHA512
40725e865ea18d033b662847925cd18ea5f3c2c36b5dc42cbc048db845ae1cd75619c46b47946d06de9d43b6e0df0bfffca0736aeac048da29547b81b16c0e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
Filesize
443KB

MD5
d33349b27a3a1fa2e39a060d220c5e68

SHA1
a668b53a4ac91a5814755b95db0377fa7c6a7df4

SHA256
1ff2c166d4b02612cd53127177031af5fb5fefc710f2f120a3efd008a3d76648

SHA512
43fedb54f9e9ef559ca7e8955afda3c912ae6fde4508682bc1b08a77d1ae240efc62a935b2c8beb322d396c1c5bf29fe2f1ab3145194753a4ae2e38fce01ebaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
Filesize
443KB

MD5
9e14de76e345946d66ab4d54aeeed492

SHA1
2cbd722a8311769de9678a72ccfd0815b71b9d8e

SHA256
ed657a3991262aa82e110a3b754f27d124795a7314081bb8548960b93d79a7be

SHA512
cfba5b349e27d2d5293a5324eb837efbe66a0cfddc21d8521cc5a3457ed6e687d4f123f7cf345fdc5d5fa264b315667b2bb31a10eb74440ab1c068b1f49dc484

Download Submit
C:\Users\Admin\AppData\Local\Temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
Filesize
443KB

MD5
e9c2fec0d7a0261b81cf15322d017b7b

SHA1
d8af54ca3cf64e8a889638b1c6aae9ebdb4a058e

SHA256
2fa3158bc7e235f89a45828d670a7d4b89905b78d7e1c40a9087aa9f0c8ea671

SHA512
e06910d958b2793d58bac6555c1e50fcd2f7105f0937e19431a3ea9e17417a467ac1c1182a603eb21d84cdcfce68eec5ea77112d5ff10cd4f7b0ec29187723fa

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
Filesize
439KB

MD5
00c5ae8bbe689b0c22b4f944973a2319

SHA1
aeb91787ffd0d59ef58cd3d638f5c49fa9b00338

SHA256
c5f737a644552bd3a8b0fc214587a7d419e6df946220975f8ae408f1384503d0

SHA512
81182942ece28f9fe67121b134a2b8673293546bb4c2a3e35a02af2188e917e7b4db56ab478812b6b2012004b32cbff016b4abcaca38686ad67c14c3aa1863c8

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
Filesize
439KB

MD5
36db6d1800f788f85ae60467a02749e7

SHA1
3d85cf543a31cb079e9ce64becfc7b7599678018

SHA256
abec33d7ad0a2e23d9c6c1ffba46b0d6c186bafb7a11b73c7eb56e101cc001a6

SHA512
d6f138b803651b5d05e9a883f99a667dc6f0891dcb33c09277c07f65a10c904ba36ecd3a7a38cac4e8983324b27c51ed834d7af2246628a60a2658991762cc20

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
Filesize
439KB

MD5
ef5bb371220ec84f6bcb9ce02c5481c1

SHA1
f55dd3f9af98e4452a1b80464170b887e4aabe6c

SHA256
557574c9cfa9d40de5f0184b0a48eecba95ae9a6792e784a16d06eb9596916ee

SHA512
b143b95719d465c3cce0183b982109f4dc6c99d4dc94831f4a88c95a269e117997bf8525380f85cb6b87a422e10d4e0c654039a014e074176223257e79021874

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
Filesize
440KB

MD5
80c28ce55eb231608ca2e6ec72edf447

SHA1
fa4cef69c2946b8bfdb75b0ca9d4bf1fec65541c

SHA256
437ab6987fec5c5a57bd98f9f943abf26c180fb508193ea68df806ff03ccbc55

SHA512
6edf06f0c8c4b48fc805dc9d9004292b9a44e846ede6d604f01dcd975a5e7041f5f0d9b9362ad1b96a0e39744fc2ead9b586d0ac12e51efc16996d4c570e4402

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
Filesize
440KB

MD5
a33b1b46815dc9df25b5ef730035b53e

SHA1
a7b37a9cf573ab470a36827dca42ddcd461a8070

SHA256
249c6a5f2e11d93471612e540adca0da8f995b544689a300444ee755c324aa1c

SHA512
b3582adbc7f4194176a2f598dcbf4619ee9022e889bf0c74bede448a98282a2e1b82b664ecefc6348fe2c6e882ba9db8f0ec7da3172552a082f971f30d17cdc8

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
Filesize
440KB

MD5
d83ee3062f99cccec50316e7c6736e43

SHA1
c8e82d1deda9a23c630e6e513fafb9461e20206f

SHA256
838ffc5fac4bb2c78268fb4df232595c31e822082e0a8418415a8f2d51f82a8d

SHA512
6a43aa9c9dc1628e224bb3854a010e118c8cc80307a8ef16a3c8509fec8448d3eae1da25decc0a60bb77434485f591960531ebe3b082381177a9f2ae84a5dbd4

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
Filesize
440KB

MD5
2d798dc0ccfe93c1acecfd1be8f74bea

SHA1
3b6e242b9a2a15613dfe24c7f1fda90adb1ef4c6

SHA256
a42d25fc2cc81d550361fc5f400224cdc4646f2442eeccf4c9315341118cc1b7

SHA512
76639fa8a7e3ce458c3868fc06b7e0ac7acdd3e84a314b828397be49c88e985bf9c3cdc019bcc1ae475610b164f57241658756450ce3d2328882dafcafda8dc1

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
Filesize
441KB

MD5
da871919dac0e4a3947bac93cd4a8d61

SHA1
6c4af77610e2d590cea3a1385452a1ebd53444d3

SHA256
57c6d495dd58229a13275e2f291c01070f327d7e34dc525808597a4e2c8c3139

SHA512
02d646220880819d8a82edb093b9228cab20baa84be68863ab07f1ed165e5d5e31107b37b74b8fcb0ab9296b8e59c3bfc35d23d61ce98fffc64dc8ded5ed4979

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
Filesize
442KB

MD5
74c80e56ddba3ef3146c559962c27fc3

SHA1
516c6ea5fe7f93c16f6e8bc4b43c39ced4c5ab95

SHA256
7f2709003b7dc73f4b9150b71494afc0106d6ffde3b13a0ed3fbaf033d8c09c7

SHA512
3986fd3876296b06996c8679632f39bdc24be4f6252f597618b526c11ff7d51379a992dff0395ba91915a55e5ebf146cc5d28682e0af6e9d13b90aa98f0aeb00

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
Filesize
442KB

MD5
0ffed16f5033119ab4389c4c67f1e2d3

SHA1
fe921ee2b2a7becd90b39151f29351fb617e12ab

SHA256
07938d79e01564ac699a69cc2de61d80b91b62c263a0c1e5f545f2db64970894

SHA512
88ed10d4f9dcd23e7d2aef897baee99e4b745140e0514aa614473c30229d2d5280d0e4cbb3330a6c9d2f575d51606c886acb49757d25a4f91b9c7713b4ef6221

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
Filesize
442KB

MD5
7fc9c45872ed455dcb606ff0e2d8a138

SHA1
a3e1662da6fde9a4b16b25f843022c69b2c0b2ef

SHA256
3a41d1c065c1999c126e56107dbdb05636d68c7f261f8d1823758d163ef50d53

SHA512
1e6c188bd94ff7182ff7b7c2535d545fca4852800db1456f50db1b3f1786761c589d131f3bf816ecddb07703392fec2f3917bf55f06c929599f8ed3eacac0801

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
Filesize
443KB

MD5
ac3beef465ae9d657429e06e203224bf

SHA1
8c1d812896d9a9f3659357e4c7f4e58a4bf2bcf3

SHA256
af2318a4e4abeb702dee5f77199f18a1796214e637cf33f0240986fb6f269600

SHA512
8d73c73677e128a78f8bbde8367f28797514bb9f9760c31e06f56f5294de9de077d305374d81544f432f3e3730177f68f40105b754e22e5278eae421caae72ee

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
Filesize
444KB

MD5
348b634bfdae373ad75f9a5e112d8aa7

SHA1
6281d410c0c318cbc02af3af7244e9405caebfda

SHA256
2ebbcb90392a7cd6da83b1b2283377160688bb978719e57e19ed85203d970961

SHA512
c03f9d6e1c46cf399a5bef36d7ff849a12933dd84c39ae3f70e585e3226a4fa3630c2c4f2c89cef9d4ff021f759f5664bd4da8e7d74ee47abdd0255a64f38ac2

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
Filesize
444KB

MD5
7c892aa819245240dc528b74d6ac8481

SHA1
d0129fc7bb094ebac7f4fdcce417c66cdcea43a9

SHA256
664f47987272337a34f8baa35b6a012123f71d323a455b19e628e2b9446a3a97

SHA512
4c5f01d36a1a96d94cf1e5da8eee3e5ed68459ef8b57955dc71b4d5ef163d1a8cdda6bbb4b4ddda41674e6487419aebbc1c5becd87414669b9feee0cfbbf2ed2

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
Filesize
444KB

MD5
933306a0533146770e4575017aa95c78

SHA1
2c00be97dc5855fb9b43432e93fb5b5c9bbe3578

SHA256
d4e2e4246f2a1dd380bc94e5406657f21949a78d36a84a1a78f301ff4ba21c24

SHA512
3385388f460cc7e2edc4a20a2760dc6a00d1f13e52956aa8cfb035e829019d2c79b1c61f82d80a6a7561e82ba607c4c029a1edfca0e6ff83e2e7af00f782e528

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe
Filesize
444KB

MD5
a3cca2fce62ae58ad061fefad7d5cd61

SHA1
955ac81cba0016d60a059938d5325298a77f0a59

SHA256
235be489d75767039b38aaf3e95a8e403be890c9bb13147cb831a57b53722065

SHA512
6d242b1b39b241b5d0d6cfbbb1bc39fb8baba69aac32b81533a3c3aba692b44e7bac3f0992e3b1302c375cbde436e7114b203da80e42e6f60871d6efa6043c10

Download Submit
\??\c:\users\admin\appdata\local\temp\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe
Filesize
445KB

MD5
1796e86df473a70447bc5b3e13715e55

SHA1
d800fc9ed04ed17abdfe01064d626bb6acaa559c

SHA256
598be4344fe7dab79a00792baea29255dc133b282aad0a7b87ecaf71274c1619

SHA512
04c86a8e4abce717cb3eed9cb12a7434dc70ec457aa41cede072798dc2fa7fdad62b059d62ef40550c1201f0da3f05b9a9c675ed1ccdc45bb78506a913a63c3d

Download Submit
memory/64-225-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/440-118-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/640-54-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/640-44-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/772-98-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/772-107-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/776-183-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/776-173-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1012-65-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1012-55-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1048-10-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1048-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1116-235-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1116-226-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1448-76-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1448-66-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1576-119-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1576-130-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1604-281-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1604-283-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1716-140-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1716-128-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2308-86-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2308-77-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2616-149-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2716-214-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2716-205-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3132-184-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3132-194-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3416-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3416-22-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3520-21-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3520-11-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3708-42-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3708-33-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4608-203-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4616-237-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4616-246-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4628-268-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4628-259-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4656-270-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4656-280-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4888-172-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4888-162-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4908-248-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4908-258-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4992-97-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4992-87-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5004-159-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5004-151-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202w.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202v.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202y.exe\""	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202x.exe

description	pid	process	target process
PID 1048 wrote to memory of 3520	1048	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
PID 1048 wrote to memory of 3520	1048	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
PID 1048 wrote to memory of 3520	1048	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe
PID 3520 wrote to memory of 3416	3520	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
PID 3520 wrote to memory of 3416	3520	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
PID 3520 wrote to memory of 3416	3520	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe
PID 3416 wrote to memory of 3708	3416	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
PID 3416 wrote to memory of 3708	3416	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
PID 3416 wrote to memory of 3708	3416	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202a.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe
PID 3708 wrote to memory of 640	3708	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
PID 3708 wrote to memory of 640	3708	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
PID 3708 wrote to memory of 640	3708	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202b.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe
PID 640 wrote to memory of 1012	640	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
PID 640 wrote to memory of 1012	640	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
PID 640 wrote to memory of 1012	640	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202c.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe
PID 1012 wrote to memory of 1448	1012	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
PID 1012 wrote to memory of 1448	1012	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
PID 1012 wrote to memory of 1448	1012	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202d.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe
PID 1448 wrote to memory of 2308	1448	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
PID 1448 wrote to memory of 2308	1448	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
PID 1448 wrote to memory of 2308	1448	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202e.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe
PID 2308 wrote to memory of 4992	2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
PID 2308 wrote to memory of 4992	2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
PID 2308 wrote to memory of 4992	2308	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202f.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe
PID 4992 wrote to memory of 772	4992	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
PID 4992 wrote to memory of 772	4992	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
PID 4992 wrote to memory of 772	4992	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202g.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe
PID 772 wrote to memory of 440	772	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
PID 772 wrote to memory of 440	772	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
PID 772 wrote to memory of 440	772	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202h.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe
PID 440 wrote to memory of 1576	440	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
PID 440 wrote to memory of 1576	440	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
PID 440 wrote to memory of 1576	440	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202i.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe
PID 1576 wrote to memory of 1716	1576	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
PID 1576 wrote to memory of 1716	1576	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
PID 1576 wrote to memory of 1716	1576	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202j.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe
PID 1716 wrote to memory of 2616	1716	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
PID 1716 wrote to memory of 2616	1716	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
PID 1716 wrote to memory of 2616	1716	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202k.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe
PID 2616 wrote to memory of 5004	2616	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
PID 2616 wrote to memory of 5004	2616	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
PID 2616 wrote to memory of 5004	2616	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202l.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe
PID 5004 wrote to memory of 4888	5004	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
PID 5004 wrote to memory of 4888	5004	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
PID 5004 wrote to memory of 4888	5004	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202m.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe
PID 4888 wrote to memory of 776	4888	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
PID 4888 wrote to memory of 776	4888	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
PID 4888 wrote to memory of 776	4888	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202n.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe
PID 776 wrote to memory of 3132	776	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
PID 776 wrote to memory of 3132	776	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
PID 776 wrote to memory of 3132	776	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202o.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe
PID 3132 wrote to memory of 4608	3132	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
PID 3132 wrote to memory of 4608	3132	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
PID 3132 wrote to memory of 4608	3132	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202p.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe
PID 4608 wrote to memory of 2716	4608	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
PID 4608 wrote to memory of 2716	4608	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
PID 4608 wrote to memory of 2716	4608	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202q.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe
PID 2716 wrote to memory of 64	2716	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
PID 2716 wrote to memory of 64	2716	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
PID 2716 wrote to memory of 64	2716	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202r.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe
PID 64 wrote to memory of 1116	64	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
PID 64 wrote to memory of 1116	64	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
PID 64 wrote to memory of 1116	64	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202s.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe
PID 1116 wrote to memory of 4616	1116	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202t.exe	68625d4b00bb20e7d719e3813bfba886bb8db82e8595415c39f58a2eeb378b60_3202u.exe