37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497.exe
Size

427KB
MD5

0a661cc5b92cd6d054b7a1f21d023d11
SHA1

7a9e7d95ca459c1a643996ff862f6e3a3abd384f
SHA256

37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497
SHA512

8dcddcd60ad5f13b7295f1a7fe2f49e241e0011c4ed12369d908c91112b30f88b342a7f083e4ec4c2553eaaed599237031aa2b3ce9db971fb3a4b76baa3654ba
SSDEEP

3072:Wae7OubpGGErCbuZM4EQrjo7vgHJJPPIgqkOiRYCovGqQq:WacxGfTMfQrjoziJJHIXTCovA

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4596	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe
3728	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe
740	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe
4972	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe
1384	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe
3356	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe
2908	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe
1992	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe
1580	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe
4744	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe
1996	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe
4784	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe
4380	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe
4420	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe
2488	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe
1028	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe
1396	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe
808	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe
4000	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe
736	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe
900	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202t.exe
3792	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202u.exe
2960	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202v.exe
316	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202w.exe
4632	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202x.exe
1276	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202y.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1836-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0006000000023288-5.dat	upx
behavioral2/memory/1836-9-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0009000000023407-16.dat	upx
behavioral2/memory/4596-19-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002341f-26.dat	upx
behavioral2/memory/740-35-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3728-34-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023420-37.dat	upx
behavioral2/memory/740-40-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4972-41-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023422-48.dat	upx
behavioral2/memory/4972-51-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1384-60-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023423-61.dat	upx
behavioral2/files/0x0007000000023424-68.dat	upx
behavioral2/memory/3356-71-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2908-72-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023425-81.dat	upx
behavioral2/memory/2908-80-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023426-89.dat	upx
behavioral2/memory/1992-91-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023427-99.dat	upx
behavioral2/memory/1580-102-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4744-108-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023428-111.dat	upx
behavioral2/memory/1996-112-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4744-119-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023429-121.dat	upx
behavioral2/memory/1996-123-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002342a-133.dat	upx
behavioral2/memory/4784-132-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4380-142-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0009000000023418-143.dat	upx
behavioral2/files/0x000700000002342b-153.dat	upx
behavioral2/memory/4420-152-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002342d-161.dat	upx
behavioral2/memory/1028-170-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2488-163-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002342e-173.dat	upx
behavioral2/memory/1396-181-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002342f-183.dat	upx
behavioral2/memory/808-190-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a00000002337f-194.dat	upx
behavioral2/files/0x0007000000023430-205.dat	upx
behavioral2/memory/4000-218-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/900-219-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023432-227.dat	upx
behavioral2/memory/3792-228-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023433-237.dat	upx
behavioral2/memory/3792-246-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2960-244-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/900-235-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023431-216.dat	upx
behavioral2/memory/736-214-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4000-203-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/808-202-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1396-193-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1028-180-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023434-248.dat	upx
behavioral2/memory/2960-257-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4632-263-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023435-262.dat	upx
behavioral2/memory/316-260-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b3a3fc0716e11ad5	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 4596	1836	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497.exe	82
PID 1836 wrote to memory of 4596	1836	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497.exe	82
PID 1836 wrote to memory of 4596	1836	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497.exe	82
PID 4596 wrote to memory of 3728	4596	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe	83
PID 4596 wrote to memory of 3728	4596	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe	83
PID 4596 wrote to memory of 3728	4596	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe	83
PID 3728 wrote to memory of 740	3728	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe	84
PID 3728 wrote to memory of 740	3728	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe	84
PID 3728 wrote to memory of 740	3728	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe	84
PID 740 wrote to memory of 4972	740	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe	86
PID 740 wrote to memory of 4972	740	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe	86
PID 740 wrote to memory of 4972	740	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe	86
PID 4972 wrote to memory of 1384	4972	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe	88
PID 4972 wrote to memory of 1384	4972	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe	88
PID 4972 wrote to memory of 1384	4972	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe	88
PID 1384 wrote to memory of 3356	1384	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe	89
PID 1384 wrote to memory of 3356	1384	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe	89
PID 1384 wrote to memory of 3356	1384	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe	89
PID 3356 wrote to memory of 2908	3356	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe	90
PID 3356 wrote to memory of 2908	3356	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe	90
PID 3356 wrote to memory of 2908	3356	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe	90
PID 2908 wrote to memory of 1992	2908	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe	92
PID 2908 wrote to memory of 1992	2908	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe	92
PID 2908 wrote to memory of 1992	2908	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe	92
PID 1992 wrote to memory of 1580	1992	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe	93
PID 1992 wrote to memory of 1580	1992	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe	93
PID 1992 wrote to memory of 1580	1992	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe	93
PID 1580 wrote to memory of 4744	1580	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe	94
PID 1580 wrote to memory of 4744	1580	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe	94
PID 1580 wrote to memory of 4744	1580	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe	94
PID 4744 wrote to memory of 1996	4744	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe	95
PID 4744 wrote to memory of 1996	4744	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe	95
PID 4744 wrote to memory of 1996	4744	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe	95
PID 1996 wrote to memory of 4784	1996	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe	96
PID 1996 wrote to memory of 4784	1996	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe	96
PID 1996 wrote to memory of 4784	1996	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe	96
PID 4784 wrote to memory of 4380	4784	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe	97
PID 4784 wrote to memory of 4380	4784	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe	97
PID 4784 wrote to memory of 4380	4784	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe	97
PID 4380 wrote to memory of 4420	4380	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe	98
PID 4380 wrote to memory of 4420	4380	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe	98
PID 4380 wrote to memory of 4420	4380	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe	98
PID 4420 wrote to memory of 2488	4420	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe	99
PID 4420 wrote to memory of 2488	4420	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe	99
PID 4420 wrote to memory of 2488	4420	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe	99
PID 2488 wrote to memory of 1028	2488	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe	100
PID 2488 wrote to memory of 1028	2488	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe	100
PID 2488 wrote to memory of 1028	2488	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe	100
PID 1028 wrote to memory of 1396	1028	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe	101
PID 1028 wrote to memory of 1396	1028	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe	101
PID 1028 wrote to memory of 1396	1028	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe	101
PID 1396 wrote to memory of 808	1396	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe	102
PID 1396 wrote to memory of 808	1396	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe	102
PID 1396 wrote to memory of 808	1396	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe	102
PID 808 wrote to memory of 4000	808	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe	103
PID 808 wrote to memory of 4000	808	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe	103
PID 808 wrote to memory of 4000	808	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe	103
PID 4000 wrote to memory of 736	4000	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe	104
PID 4000 wrote to memory of 736	4000	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe	104
PID 4000 wrote to memory of 736	4000	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe	104
PID 736 wrote to memory of 900	736	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe	105
PID 736 wrote to memory of 900	736	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe	105
PID 736 wrote to memory of 900	736	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe	105
PID 900 wrote to memory of 3792	900	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202t.exe	106

C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497.exe
"C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836
- \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe
  c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4596
- - \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe
    c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3728
  - - \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe
      c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:740
    - - \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202t.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202u.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3792
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202v.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2960
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202w.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:316
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202x.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4632
        
        \??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202y.exe
        
        c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe

Filesize
427KB

MD5
ed65a1bfb23fa38d8aad5aa07417bdbd

SHA1
125b88a8d8e45f472e5b408e92e9a265ba80a240

SHA256
9ee1b761303f3728a9191ce64e3b6acc8b8ae28995987d41952194d8da449055

SHA512
197c34adecd20db36c85120ef42c58d5b0d559bd5bb8417a592a724001897472316706a419e83830c97a9adea89d3fa59d3131eee58a7778bb4b4810a63471a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe

Filesize
427KB

MD5
c0b9df5936532da887c077432883729d

SHA1
a2ad56192e9d8f7ffd7124a2ef92c44e214f1eca

SHA256
14e949fdef8e9c95eeffa76fbe460601ab07611f246e6db860ea90023ef5b7d5

SHA512
f143696d7acce2bc178694b6d084a97b261415892058530c9d6faeac8342c4c06454ca314f3f39aca70124f65a9dcbc0f2dbddc2a39686f594a7ff9cb69c7a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe

Filesize
427KB

MD5
7ebe719daf20a7dea25b83517e6b10c5

SHA1
ace3c8bdf20a3d823d6cc3018f6659e1ec84ba72

SHA256
538fad87a936fb92740e0d81a681610cecf11e630292f7bfafe645ac4d917b47

SHA512
4bd86e4aeeda7968982d2a5ab455f4c156dc13900fd91a28bcd21e03fa29b0c2d7ce13751d94cadf6029fbaf12ce347a83ac2b52bde4a880361172734e12189d

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe

Filesize
427KB

MD5
237fbe913f109503bfaf673b9ccd30cc

SHA1
e4ecfff54899b14fc0e033bc2d68e7570f27dcac

SHA256
25eda12a0f69d1f59d2536bb8c407e17c39a815614e670e4045d6354bb16ad2e

SHA512
7be6bc7f9eea7d450c4ac8e8bc0be3b871ef78d6d309ec2f795461f0098656884ba7d5d1e1ff7cbd34feac9194dfc7fb354e51e7dbbb55039c20e860f1772677

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe

Filesize
427KB

MD5
8674168aeafd2d5001d30ea068493b89

SHA1
0363a3a3f95bc965af789f5d736e26ddf85ffa80

SHA256
866823c2d9852ee7a2ced7592dcb174d4b59bea85dd83c00fd9c2b70669fc053

SHA512
f37dc9657377bd22c84be4101ac43b2d76f185d98fb0c7225604308aa9125d4b665c0aea55ceaf38a459facdae8b1d3e313243e6950b82b0ba17abce0d57448d

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe

Filesize
427KB

MD5
80d76421eda8a32f2e574702461872b1

SHA1
64335b14f88a75e1b5b884d07d62a434416a9874

SHA256
a396b6c37ed7932943ef44f8b0d3c229370395e79335567c6a351b1f9a89f781

SHA512
492e15e66d4fb99ae1e275f34ea858a5d28d6b46ba08855a58c422ea9f91bf831514aaafb510e47439452a920727f3493c6dc2f9cea38b4a5ec986c2ceb0bf2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe

Filesize
427KB

MD5
090d4af2cad1bb30da34fe34efb45775

SHA1
af7054ae1c777796eb4067caadc66f41f944886b

SHA256
349c972dba4c3d6e8b4f6c86d4563aa9b5ab72679b3e8d3d33e8c88ac6c62ea1

SHA512
c88d3e6534a7280ce2e8617ff21f448ca31eff3fd73db780e1590e8bd3b51d86dc23fb7cc6c38757a0fab5825e67e005f9fba41c64ef93c44465e8c091cb4ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe

Filesize
427KB

MD5
f92d122779fdb0d1b7718095712983d2

SHA1
9d82587a2980b6807175f7922c0433a17e3000d9

SHA256
dae3aadefdc7e420c19cae1e989919df9eae6b1f0f598e4ddd463cb0df58c5f4

SHA512
adcdc52b25b2edbc785e96e5c9adf52728114d5472425e4944ed725de981645a7da54d8f4d58234b06680e3fbec3ab71c106df2da7bee2106a67cd33c54a04cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe

Filesize
427KB

MD5
b0ea89afe00e175dbf32586d325a21ac

SHA1
a96da55dd67d8bf9f83ccbdde682274e905995ec

SHA256
720a45ace38497c703bbfcae8c1920b86c34c23f25648f6fded580318d2874aa

SHA512
5c6e819436a0a983d124dad25e7f1c00dbce9252787537bc8b02fd648076f7d0cf0be71b6cdd39dce9503b1557089183c64e39e1be01a690937b94ce27ee6492

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe

Filesize
427KB

MD5
68e0d8378507658450f4b9c240f5688c

SHA1
05f3c17f3ef00158bf4ab7fd5fca89538b99af5c

SHA256
4ac68b9897e05353c1d433255eb4be2be8f3ba025884060711854d6b1c017dfd

SHA512
6e0aa04e5e895d87443d0bd20d258bc6440f7f004efac95d430de5bbcd1baf4d45f5831bdf4e007913bbdaf18891874aca24f27973db454afd36f8a865f87fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe

Filesize
427KB

MD5
b8dc8f0906d44e70c8136d7af8bfddcc

SHA1
f19327aa69024630fa73a2eca00251aff17b6d86

SHA256
2879663463cc78aebc9e4510ccdbbc4c65a99393230757045fe8b52789d4a8af

SHA512
250b3239df9d3f9beafe59b1b97c1214c11a265f6a9c4fa38c9b7d5ed18c7326eebd11c2b820c518d0f6b4d9d692bd75e459d66507c50cc55fb4575bca954606

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe

Filesize
427KB

MD5
78fb23b48c9c60c739b31073468e36cf

SHA1
ca2efd3272132b29473cd9b8d0321e09b8600ca9

SHA256
2d90aa921493b49dfcdb6dbe22a6cf17ff8df0a940194f960e25a2a9de610fc8

SHA512
a97575e4998559e556536966de2f4ef4ac84221693db091be725ad8b473ce1bb2b13a6973132e26021ee374a7aaee300c52a3a10008bc57711554be175905ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe

Filesize
427KB

MD5
eceefe26b6a59559656ec8e33852da4d

SHA1
80839868f7c16a9fa20d15519b1712507aca496b

SHA256
c06f03f5e7287b8fa80597955918464d2af6c26d262ca7838480e5b492fa7fb7

SHA512
83472c2cd4975222b9f0fb7c982cd76932b4b4d457966d1762b0a2ef6c94d0ac7fe1da101bc8ebe9800523ecd7fdcec90bf2548b0f1666a3d8841532839e383e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe

Filesize
427KB

MD5
c216f19d1e025f3b8027a492c1d34f3e

SHA1
24bd137d17f486272e916803e03a430beb2745bd

SHA256
08779e16fa387e781771eb996c40ff4dc0a0a4a49fdb680743aa957108cbb329

SHA512
5ddc602ae59226b7ae4771313a6ee29fc92b0bf3ee26adad423cb982c4a5dbb2af0827128eecc2e0aad4f11e47ceaecb62c76636076f08c942273903726f7c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe

Filesize
427KB

MD5
70daba602431fdd87a2439a3d74ea19a

SHA1
dc09c24a18bef81a1ae1ddafa91822c284b23db2

SHA256
4e6bdfde7d3ff1f4ea33d35a1b566360589b0f32f5dd92086606c2539a36dc79

SHA512
7c835b0c86975d0dcc35d09a318323b1f7b41734c301732f97692384b1bcdd442fae502fc810ec48b63136f74c474190964c22c851899cf28459a4b4fcf17e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe

Filesize
427KB

MD5
a2bb461ec0459b71b88c9e324d53bb84

SHA1
a02bdfb3c5e97ee686004b6a315bba20501a05c1

SHA256
b3363d223aacfe449a169be3074748e86a0fab732567472f48c3ff0cb0df9dcf

SHA512
a84dfef1697e14e0dc65149b98884e2ccee03d2736a91ed366513e1be5be27eaf4affb033c3c803b0b1d9bf4d9e065d9070597f17a20f8039500f4a8d0903f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe

Filesize
427KB

MD5
fa81ce444e02815d319a58766dbfbdd6

SHA1
144aa04137d9e99f97ba140a40098a6ddd17a842

SHA256
b84a6a6086ab00440abf0761a9f1980d58b8a1bf4602b1fb72cd6dae3da55913

SHA512
1fbe927a266024c57031f8f15bcf857fac7ee6db0a8bc4f3eff5a3e1e164e77861f0cf700cea94b0be46b65a0a0b4fd8d99db819c0ab62ced3499fc23292dc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202v.exe

Filesize
427KB

MD5
3e1a31977c449d7dc27255ad094f737c

SHA1
0939c4c23ce8afe5440ab76c2e6ce8a5e588e7c4

SHA256
e52066942d4ea04e54884eab899e3413291a37052aca77fd5a5ebf5038779043

SHA512
853f577786aa89b0eef84b218022feddf7492a118ad2a64f42f92fffb645663cb8e9069a921fd86f23196d8e21bad6aa617451d67a1611ad3bd1d235d9c490a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202w.exe

Filesize
427KB

MD5
8fb5adec9750ea361214d39fd467e31c

SHA1
9cb39a07e908e103005c8825200b701d11cad687

SHA256
8a04e351f8f438e6add5e258a29fa726a8d051cf58294cda4264eda8d2c43370

SHA512
26c484435327ff188263d1909d75aaf7dcfcb0015bff69e323ac5404ab16870151ca95a9cec22eb8aa8d35b8d486baf58f23fb2632f1f21054344471aecc5239

Download Submit
C:\Users\Admin\AppData\Local\Temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202y.exe

Filesize
427KB

MD5
a9c73e13ab2829a367c154d770408ba9

SHA1
0b0b0ead876d05302f3018394d3eaddaae5ea46a

SHA256
53802b6e955791715634335a74a872bc9933320e8d541baed0b8ded285f2b37f

SHA512
44889ce5a420f45498524b934468a7e7eafb98bada3e98a7466a853b495f54665f52e013307bf82ed74ab5d54ac41ad6f26e9b38eb46596cefc6a57df7d2248a

Download Submit
\??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe

Filesize
427KB

MD5
18fb7bab7fda286a9345ede3e0a126a4

SHA1
279b6742508602f4568ac8e112e57f268e656d3e

SHA256
013c5f321d9e2e51efb78848ed0343a2076f818f728727c332194fdb58a2b6ac

SHA512
41ceb502d474274fb7ef1b24861857b8185a84e4718db52b41bcab2eb17073b10a7d95c07f0e30a828041f30f5043b6f0c85987f90632a3e6d418ff7f78fe710

Download Submit
\??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe

Filesize
427KB

MD5
7e48c39fbc218f0f59e85dbd28097f30

SHA1
3ea13328738a82a608a068c83d5dc381da5b8768

SHA256
c8823942cf4bf2c8f138d801b084cd8bf6903548c983acda2cd2ee4a1b84db24

SHA512
cf02dbd75bc30f890a2eef226fc421472ca12cd036e54274efaa0619f07e4451ee832c9145fc23ef1fb97aa4b1e6e76275399e2e8dec94e04fd4b7ffe4f9ca6d

Download Submit
\??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe

Filesize
427KB

MD5
31d583ae28705126d489b7619e884523

SHA1
261e3a8330450ad7e1f2dd36d494b0a64c58fb45

SHA256
3772fa2506a46cc296bb2fca17a9eb635129f56ee394d85eab0ea7119cf5077c

SHA512
4a72b62e7d156d6c823c2bb7f99f30edcb23432f340bb7e06d4396fd5124439fef42b17a1a98b8823d5007ed8f5076efc6348ad0889bf8319caeb48911f7b603

Download Submit
\??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202t.exe

Filesize
427KB

MD5
1ecd22a8e1b42303a30c6bdf5ecae5da

SHA1
bbb78faf14d6b9ced8ac9a224537b9021b372cd2

SHA256
4db2f5330b84e12abe9219c1ff7e10425cc13140a6edd70c2c5230151a51754f

SHA512
7f88ed00332fb04789352474ff563442c10669a42a1d4c73c79627d648075b736efd4cd5634f3633555eae76accfc53b9d84e9f79a843950dd1a4eeea5492a67

Download Submit
\??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202u.exe

Filesize
427KB

MD5
ec82947714a899d899284e0d720a29db

SHA1
69a60a8b33c683d9a3504f8167f30e3cc2846993

SHA256
5699a2e3dcc2e708357e4ff3932aebd7cd7cf203eefac1dceea40ad422e81556

SHA512
3ccd3be15a07e0c12ed40ccc3da564bbe4a4f938ffbe80123aa48b498e5fb33df4b9d56981d2b820154c0218dddd871472b5c8b7cc86606c36dc932557f214d9

Download Submit
\??\c:\users\admin\appdata\local\temp\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202x.exe

Filesize
427KB

MD5
5caf90f8637bde70950ae142956bf623

SHA1
4e0d68e48fcbc60f174a75d760a9c5b958fd9a70

SHA256
d8ab83a240b6ff6e6e2cc7b5c96373f18ff092260f05c67f66f12ec3f1f8bc2c

SHA512
04d0b96dc4a91042d551ba349a55471a2c1f9c12edb2d811667cb65e82719858c99c61371882c0325f44d47219dfe91bff771fa2fc67243b001d49ab63fb2af3

Download Submit
memory/316-260-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/316-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/736-214-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/740-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/740-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/808-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/808-202-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/900-219-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/900-235-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1028-180-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1028-170-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1276-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1384-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1396-181-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1396-193-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1992-91-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1996-123-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1996-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2908-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2908-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2960-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2960-257-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3356-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3728-34-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3792-228-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3792-246-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4000-218-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4000-203-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4380-142-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4420-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4596-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4632-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4632-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4744-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4744-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4784-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4972-51-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4972-41-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202v.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202w.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202g.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202y.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202j.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202f.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202o.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202l.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202c.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202r.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202t.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202u.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202x.exe\""	37371e28bb2e58554d8066b0888519c5758e7e51355e68a8286ebf431f3c4497_3202w.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads