d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 04:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe
Size

535KB
MD5

5aee931837ed41692a554a46c356c1ad
SHA1

8425af5f72985be264c8fa185f653fe6c35599ae
SHA256

d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25
SHA512

a2c8fac2aa70611935b0676a4775f89dd2fe23b2d17294a311ceadfbedc582eab7bcb181391ebfa46a95c449651266c28b516eadcb3dede7d52468f9cc0ae922
SSDEEP

6144:phbZ5hMTNFf8LAurlEzAX7orwfSZ4sXUzQIQfVKezcdwgg:jtXMzqrllX7EwfEIQtz

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2872	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe
2280	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe
2680	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe
2584	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe
2720	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe
2516	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe
2428	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe
1572	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe
1212	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe
1972	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe
1752	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe
1492	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe
1816	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe
1912	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe
2224	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe
1484	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202o.exe
1620	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202p.exe
1148	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202q.exe
2104	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202r.exe
1672	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202s.exe
980	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202t.exe
1160	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202u.exe
2064	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202v.exe
2000	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202w.exe
2052	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202x.exe
1776	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2136	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe
2136	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe
2872	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe
2872	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe
2280	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe
2280	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe
2680	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe
2680	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe
2584	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe
2584	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe
2720	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe
2720	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe
2516	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe
2516	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe
2428	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe
2428	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe
1572	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe
1572	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe
1212	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe
1212	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe
1972	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe
1972	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe
1752	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe
1752	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe
1492	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe
1492	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe
1816	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe
1816	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe
1912	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe
1912	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe
2224	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe
2224	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe
1484	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202o.exe
1484	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202o.exe
1620	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202p.exe
1620	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202p.exe
1148	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202q.exe
1148	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202q.exe
2104	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202r.exe
2104	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202r.exe
1672	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202s.exe
1672	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202s.exe
980	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202t.exe
980	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202t.exe
1160	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202u.exe
1160	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202u.exe
2064	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202v.exe
2064	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202v.exe
2000	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202w.exe
2000	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202w.exe
2052	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202x.exe
2052	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202x.exe

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x000b000000012263-5.dat	upx
behavioral1/memory/2872-14-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2136-12-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2872-29-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2280-30-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2872-25-0x0000000000270000-0x00000000002AB000-memory.dmp	upx
behavioral1/memory/2280-43-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2720-81-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2584-73-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2584-61-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2680-58-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2720-91-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0007000000015cf0-98.dat	upx
behavioral1/memory/2516-104-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2428-119-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1212-142-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1572-134-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1572-127-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1972-157-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1212-150-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1972-165-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1752-179-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1492-193-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0006000000016a8a-201.dat	upx
behavioral1/memory/1912-210-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1816-208-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2224-224-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1912-222-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2224-238-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1484-249-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1148-260-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1620-259-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1148-270-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1672-281-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2104-280-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1672-291-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/980-303-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/980-301-0x0000000000250000-0x000000000028B000-memory.dmp	upx
behavioral1/memory/1160-313-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2064-323-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2000-324-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2000-334-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1776-346-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2052-345-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1ac66ffea9bbceee	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202v.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2872	2136	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe	29
PID 2136 wrote to memory of 2872	2136	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe	29
PID 2136 wrote to memory of 2872	2136	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe	29
PID 2136 wrote to memory of 2872	2136	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe	29
PID 2872 wrote to memory of 2280	2872	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe	30
PID 2872 wrote to memory of 2280	2872	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe	30
PID 2872 wrote to memory of 2280	2872	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe	30
PID 2872 wrote to memory of 2280	2872	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe	30
PID 2280 wrote to memory of 2680	2280	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe	31
PID 2280 wrote to memory of 2680	2280	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe	31
PID 2280 wrote to memory of 2680	2280	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe	31
PID 2280 wrote to memory of 2680	2280	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe	31
PID 2680 wrote to memory of 2584	2680	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe	32
PID 2680 wrote to memory of 2584	2680	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe	32
PID 2680 wrote to memory of 2584	2680	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe	32
PID 2680 wrote to memory of 2584	2680	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe	32
PID 2584 wrote to memory of 2720	2584	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe	33
PID 2584 wrote to memory of 2720	2584	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe	33
PID 2584 wrote to memory of 2720	2584	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe	33
PID 2584 wrote to memory of 2720	2584	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe	33
PID 2720 wrote to memory of 2516	2720	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe	34
PID 2720 wrote to memory of 2516	2720	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe	34
PID 2720 wrote to memory of 2516	2720	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe	34
PID 2720 wrote to memory of 2516	2720	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe	34
PID 2516 wrote to memory of 2428	2516	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe	35
PID 2516 wrote to memory of 2428	2516	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe	35
PID 2516 wrote to memory of 2428	2516	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe	35
PID 2516 wrote to memory of 2428	2516	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe	35
PID 2428 wrote to memory of 1572	2428	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe	36
PID 2428 wrote to memory of 1572	2428	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe	36
PID 2428 wrote to memory of 1572	2428	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe	36
PID 2428 wrote to memory of 1572	2428	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe	36
PID 1572 wrote to memory of 1212	1572	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe	37
PID 1572 wrote to memory of 1212	1572	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe	37
PID 1572 wrote to memory of 1212	1572	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe	37
PID 1572 wrote to memory of 1212	1572	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe	37
PID 1212 wrote to memory of 1972	1212	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe	38
PID 1212 wrote to memory of 1972	1212	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe	38
PID 1212 wrote to memory of 1972	1212	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe	38
PID 1212 wrote to memory of 1972	1212	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe	38
PID 1972 wrote to memory of 1752	1972	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe	39
PID 1972 wrote to memory of 1752	1972	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe	39
PID 1972 wrote to memory of 1752	1972	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe	39
PID 1972 wrote to memory of 1752	1972	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe	39
PID 1752 wrote to memory of 1492	1752	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe	40
PID 1752 wrote to memory of 1492	1752	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe	40
PID 1752 wrote to memory of 1492	1752	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe	40
PID 1752 wrote to memory of 1492	1752	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe	40
PID 1492 wrote to memory of 1816	1492	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe	41
PID 1492 wrote to memory of 1816	1492	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe	41
PID 1492 wrote to memory of 1816	1492	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe	41
PID 1492 wrote to memory of 1816	1492	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe	41
PID 1816 wrote to memory of 1912	1816	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe	42
PID 1816 wrote to memory of 1912	1816	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe	42
PID 1816 wrote to memory of 1912	1816	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe	42
PID 1816 wrote to memory of 1912	1816	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe	42
PID 1912 wrote to memory of 2224	1912	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe	43
PID 1912 wrote to memory of 2224	1912	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe	43
PID 1912 wrote to memory of 2224	1912	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe	43
PID 1912 wrote to memory of 2224	1912	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe	43
PID 2224 wrote to memory of 1484	2224	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe	44
PID 2224 wrote to memory of 1484	2224	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe	44
PID 2224 wrote to memory of 1484	2224	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe	44
PID 2224 wrote to memory of 1484	2224	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe	44

C:\Users\Admin\AppData\Local\Temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe
"C:\Users\Admin\AppData\Local\Temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136
- \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe
  c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2872
- - \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe
    c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe
      c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2680
    - - \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202o.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1484
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202p.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1620
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202q.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1148
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202r.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2104
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202s.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1672
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202t.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:980
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202u.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1160
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202v.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2064
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202w.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2000
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202x.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2052
        
        \??\c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202y.exe
        
        c:\users\admin\appdata\local\temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe

Filesize
535KB

MD5
557d56d31fb1a5a422cad1052a0a8191

SHA1
a88471da43bf235f4038cc53f7e40becd7be0bc8

SHA256
2d332cc1fd7718a9f23b834481f035e6a6ae19c5d54fe1703b8d3409c14ffb1f

SHA512
09abbd24d167bd5d56b5f08c5d952fef53225ecbc456b5e17fd51957b3b69c236897990e69d1fcbcbd0291dfbb1161180a2ddac97efa8e5bb9d5d810ff9680d8

Download Submit
\Users\Admin\AppData\Local\Temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe

Filesize
535KB

MD5
af668ca9a5da2de9dcb4096ca43dcb91

SHA1
a9041abad3993748b4413c10a3363b20587ef9e5

SHA256
0159f81b75c07d55b62a366ae8ddf1023433d45eab23f85695b9d2a2ed8f774f

SHA512
536dfe6dd31a2c24fff9002942781f7812dc48058257dc776f0035e53f5331288f0208435ef07d65931f0bb88807566437b2d7b87a5e3c2b6ec9daf64ac84bb1

Download Submit
\Users\Admin\AppData\Local\Temp\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe

Filesize
535KB

MD5
75e954266384fac95a330370006a6362

SHA1
e37d363105ec14f6bdc04ac63f4df973bf981650

SHA256
f01ee1813e8c8bd53806a330d1bc5e9530c38bcc901f0e04b2a87d1f651ec78a

SHA512
3b30a158aee19b43aeed8499270b3a9a3a89d891b0e703ec4382d8123612a02afba3b8b64851872463a57cb3126d067cdc8f19130d0869a5680d10c10a02c8af

Download Submit
memory/980-302-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/980-301-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/980-303-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1148-270-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1148-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1160-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1212-150-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1212-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1484-249-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1492-193-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1572-127-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1572-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1620-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1672-281-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1672-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1776-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-208-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1912-222-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1912-210-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1972-165-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1972-160-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1972-157-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2000-334-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2000-324-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2052-344-0x0000000000370000-0x00000000003AB000-memory.dmp

Filesize
236KB

Download
memory/2052-345-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2064-323-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2104-280-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2136-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2136-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2224-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2224-238-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2280-30-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2280-43-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2428-114-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2428-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2516-104-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2584-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2584-73-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2680-53-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/2680-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-91-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-89-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2720-88-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2872-25-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2872-29-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2872-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202s.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202u.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202w.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202m.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202p.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202y.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202g.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202t.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202l.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202f.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202o.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202r.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202c.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202v.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202k.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202q.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202x.exe\""	d984b0fcdeb60fc2a1773a00ebb10b874d5d36fe3f2d301bda7fafa95cfeba25_3202w.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads