0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 19:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
Size

393KB
MD5

8be9348d4e44974fc85d4b23d59a85b4
SHA1

0a1559b085a6aa54a69c72923f69bac206bbd340
SHA256

0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d
SHA512

3a0c3e22e188709ff13ab5d63f13f2eaa301b386129b60bc8561fab796c341539ac2c83eea8d4604b505f0b699b3504d13d8c2bb7e02439421fb01c1bbcc394c
SSDEEP

6144:it03a62hzpSNxV2qcJVLNyTiY6wDyIJ2r/bDh:Os52hzpHq8eTi30yIQrDDh

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 32 IoCs

resource	yara_rule
behavioral1/memory/1640-14-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1752-30-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2572-47-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2368-63-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2392-80-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2836-78-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2392-95-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1752-112-0x00000000006F0000-0x0000000000769000-memory.dmp	UPX
behavioral1/memory/2132-110-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/112-144-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/112-130-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/888-129-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1620-162-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1548-178-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2560-194-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1844-210-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2196-226-0x0000000000360000-0x00000000003D9000-memory.dmp	UPX
behavioral1/memory/2196-227-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/640-244-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1108-275-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2560-262-0x0000000000480000-0x00000000004F9000-memory.dmp	UPX
behavioral1/memory/2064-261-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1704-287-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/936-299-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/908-310-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1364-322-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2892-334-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2768-346-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1352-358-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/1880-370-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2872-381-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral1/memory/2728-385-0x0000000000400000-0x0000000000479000-memory.dmp	UPX

Executes dropped EXE 26 IoCs

pid	Process
1752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
2572	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
2368	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
2836	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
2392	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
2132	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
888	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
112	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
1620	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
1548	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
2560	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
1844	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
2196	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
2064	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
1108	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
1704	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
936	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
908	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
1364	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
2892	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
2768	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
1352	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
1880	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
2872	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
2728	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
1640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
1640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
1752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
1752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
2572	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
2572	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
2368	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
2368	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
2836	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
2836	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
2392	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
2392	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
2132	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
2132	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
888	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
888	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
112	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
112	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
1620	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
1620	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
1548	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
1548	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
2560	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
2560	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
1844	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
1844	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
2196	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
2196	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
2064	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
2064	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
1108	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
1108	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
1704	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
1704	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
936	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
936	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
908	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
908	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
1364	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
1364	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
2892	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
2892	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
2768	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
2768	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
1352	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
1352	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
1880	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
1880	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
2872	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
2872	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c5db6dcf921521c8	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1752	1640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe	28
PID 1640 wrote to memory of 1752	1640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe	28
PID 1640 wrote to memory of 1752	1640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe	28
PID 1640 wrote to memory of 1752	1640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe	28
PID 1752 wrote to memory of 2572	1752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe	29
PID 1752 wrote to memory of 2572	1752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe	29
PID 1752 wrote to memory of 2572	1752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe	29
PID 1752 wrote to memory of 2572	1752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe	29
PID 2572 wrote to memory of 2368	2572	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe	30
PID 2572 wrote to memory of 2368	2572	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe	30
PID 2572 wrote to memory of 2368	2572	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe	30
PID 2572 wrote to memory of 2368	2572	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe	30
PID 2368 wrote to memory of 2836	2368	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe	31
PID 2368 wrote to memory of 2836	2368	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe	31
PID 2368 wrote to memory of 2836	2368	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe	31
PID 2368 wrote to memory of 2836	2368	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe	31
PID 2836 wrote to memory of 2392	2836	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe	32
PID 2836 wrote to memory of 2392	2836	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe	32
PID 2836 wrote to memory of 2392	2836	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe	32
PID 2836 wrote to memory of 2392	2836	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe	32
PID 2392 wrote to memory of 2132	2392	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe	33
PID 2392 wrote to memory of 2132	2392	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe	33
PID 2392 wrote to memory of 2132	2392	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe	33
PID 2392 wrote to memory of 2132	2392	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe	33
PID 2132 wrote to memory of 888	2132	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe	34
PID 2132 wrote to memory of 888	2132	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe	34
PID 2132 wrote to memory of 888	2132	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe	34
PID 2132 wrote to memory of 888	2132	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe	34
PID 888 wrote to memory of 112	888	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe	35
PID 888 wrote to memory of 112	888	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe	35
PID 888 wrote to memory of 112	888	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe	35
PID 888 wrote to memory of 112	888	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe	35
PID 112 wrote to memory of 1620	112	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe	36
PID 112 wrote to memory of 1620	112	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe	36
PID 112 wrote to memory of 1620	112	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe	36
PID 112 wrote to memory of 1620	112	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe	36
PID 1620 wrote to memory of 1548	1620	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe	37
PID 1620 wrote to memory of 1548	1620	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe	37
PID 1620 wrote to memory of 1548	1620	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe	37
PID 1620 wrote to memory of 1548	1620	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe	37
PID 1548 wrote to memory of 2560	1548	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe	38
PID 1548 wrote to memory of 2560	1548	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe	38
PID 1548 wrote to memory of 2560	1548	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe	38
PID 1548 wrote to memory of 2560	1548	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe	38
PID 2560 wrote to memory of 1844	2560	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe	39
PID 2560 wrote to memory of 1844	2560	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe	39
PID 2560 wrote to memory of 1844	2560	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe	39
PID 2560 wrote to memory of 1844	2560	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe	39
PID 1844 wrote to memory of 2196	1844	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe	40
PID 1844 wrote to memory of 2196	1844	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe	40
PID 1844 wrote to memory of 2196	1844	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe	40
PID 1844 wrote to memory of 2196	1844	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe	40
PID 2196 wrote to memory of 640	2196	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe	41
PID 2196 wrote to memory of 640	2196	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe	41
PID 2196 wrote to memory of 640	2196	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe	41
PID 2196 wrote to memory of 640	2196	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe	41
PID 640 wrote to memory of 2064	640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe	42
PID 640 wrote to memory of 2064	640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe	42
PID 640 wrote to memory of 2064	640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe	42
PID 640 wrote to memory of 2064	640	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe	42
PID 2064 wrote to memory of 1108	2064	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe	43
PID 2064 wrote to memory of 1108	2064	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe	43
PID 2064 wrote to memory of 1108	2064	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe	43
PID 2064 wrote to memory of 1108	2064	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe	43

C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
"C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640
- \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
  c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1752
- - \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
    c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
      c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2368
    - - \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1108
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1704
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:936
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:908
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1364
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2892
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2768
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1352
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1880
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2872
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe

Filesize
393KB

MD5
8b14d122d77c06d5f365f320e7f71e1a

SHA1
d06fe365518f0e1604fdb3f9fdf24f7c8a6df9bb

SHA256
8f175dab92c38e3cd0f63f8220478d392bbb6195c4d76b9da96720155048644d

SHA512
141fdd002c7302128a45904f3e79c7e90c0f7e2d2f7034d86ee8d6dc591c5dcf14a808cc9a0f9ccf226411ba0b25369ffd7b3198e508d761e04cdd0139c0ccd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe

Filesize
396KB

MD5
bfb02ec57dafcbd356c103c16bf87734

SHA1
74f01bd5cb3c0cdec787303ba74d2adee75de940

SHA256
2eb0a0fb581e0f70c793d48c2e0a29b47c180a26427a251113ddfecc93cf5021

SHA512
c057d789998e159d99932f80463de2f571468f0bc058366872328990e20f90e2dffdd9e8115601a3e345c451446a6193e29994888aed124be25f73f40750e75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe

Filesize
396KB

MD5
827571c0317def7caa91a5d32f68ab1f

SHA1
d92b1272fc63c5239f1bc09486c2af7716477d8a

SHA256
dc1b566b8bff3e2210866cc01e36559c3dea29224abb11c261bc99bb5eb162f4

SHA512
e4e56279a9c0354fb8ba42011f09e1fdabbdbbaccbd15d5be7be1ce3920110190accc59d4efbdbd9ce661bf849ca39014a7458a1e2c25f10e111f9f601aec485

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe

Filesize
394KB

MD5
cf61ea91de7561c8e62c817516f10f68

SHA1
f93e28508842d275c7d65a92341295128f6c0c05

SHA256
29b4239f83a102af05b15e7def0a449744b59a44eea6097fd669cee70b2d099a

SHA512
efbfb679d4255c4aade0f75d6379fb3795353e0dc75306bd46325e832803372b6dad27cf181fd353303dcf210600d106fde9fc9269e0539f4ff76531da0ef4b7

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe

Filesize
394KB

MD5
9186d04143bd779467d468ce690dc8e3

SHA1
56319b795ca82cff1b735a0e3290ca3c618b934c

SHA256
df531ffba65ec5eb92610dcdc3e445de035198e31f455d6020416c44b204df38

SHA512
77425e87e96f4809d68af210e3c4154f7ad00448ecc7b6cd3e0f28ea43ac932bf84e0eb60f27dd6eb1962c2f44735a07477f1ec63985500ef296bb0c29b26c7d

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe

Filesize
394KB

MD5
46b4593c078c166bcb13541ba8c861b2

SHA1
1af396d124e075c3f4872dea869aff3e426379d7

SHA256
b0599ee29ef305b8e5012d3f6184a09f674179e2fac24935091329246078959d

SHA512
97066c556027d49f34d8fc9394bb71f4fb490c41213db29e237ed299ffd7055779dbe3840a8d222187699c9a6f6f1dd6ad84ed09db2025235213b0cea51cd57f

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe

Filesize
394KB

MD5
f6f1e071aa4cca68eb72aa7474ac41fb

SHA1
f66dea2e468bd547798e82778e92f3ac8d2accac

SHA256
4661f97ef429bd23a590e1ff4ca3a2632ae32b6f0cc03800d34154012fcc7644

SHA512
1842b8e0c24240020a518fa1ada346d8ae54e63ec073fc0011f065582f96b2ec78e88d7091df4bef91ea7ab21f1214f5aa7a48243ea686d53cf4c8f4fbe34b87

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe

Filesize
395KB

MD5
2a568a6e5e3894ea82c46583223693bb

SHA1
076181273c523fb7cf85e8db023e1b91390644fe

SHA256
489360863d6e2b63192c9817c1e8cb0c2937cb5d3b3477269d74d9efd6fe5d49

SHA512
0027eba1fc7e3f5b7da1b057f01e40d114dab471808809aaf4760bb300acbb88280cb8b192ec9a65a07d1aef22e5144e8eab22ab290713160fc04cd2ae79dbbe

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe

Filesize
395KB

MD5
ed940d780f302d5c3db6e047c7499842

SHA1
7f3503c55f0a91d9421194b55f2ceddc0b1c8b62

SHA256
3dd6289d861b17c9606d9e34e4df8254bdfb6d6b0a13fac3df4df62654a07e6c

SHA512
b908e264ef36f25863892b424b79eecfee87260e1bf8cd768441544aefe0f787a366c0b139a727b27cd9ccad2d12989c54f4bbe85b0cc9b6aee9facdd619010d

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe

Filesize
395KB

MD5
d6d8a0b970dd6601a77cc29321fcc9b8

SHA1
4606491943aa98bdf331ecaab44cbf761c649ae3

SHA256
f7d2484bae33cc33d38ad72a6258c4afbeaccacf8644075eca26271f6b771e4c

SHA512
a9924bee8d15446519945099babe74ba8eba9b09135d0015baa252b31e4a433b44c0b22dd75186de856999f77b650f9dfef171c8a0e82a258c39d379b0f8215e

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe

Filesize
395KB

MD5
16ae7da76f59465890f81d2f01c39077

SHA1
f6638b9932b19da3badfb983d9b7bfc952a6bc57

SHA256
bff0429032995d4d732f866cbd58184ca111c56c6eceb39ede02ba71d21e4637

SHA512
3d16dc5f3b8d33a1a192f900d119324f897856f173ed922436df65439a5e90c0172ae7bb0e8d054a558187ee12f4e245c2e2e4390987c179857b1e0eab2cc5e5

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe

Filesize
396KB

MD5
e4a6a51e16ca61bde940d9581cff4d83

SHA1
2715c2ed029fb1453fe5ce31174f70928c6b8d1a

SHA256
dfd4d4b69ab5302a4704ad9cbafef52577bb780407949573a5956d6ae3c0d62b

SHA512
2317e218ff52430145eb30703c6f50418c0600345c5a419d53370ac9eb24feceea3ec527f4a7436c280523e96bc477ae0dde6c1f9d1b2a818d1f90cc0708526f

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe

Filesize
396KB

MD5
27b1e8d6349c4cb371a02fa045e30efe

SHA1
8f1a11873b05decbc3bacf5d2b9d4b77bae57e00

SHA256
211576515bf79d417d86a6d5b02e4e2a9b6664a0a2009ea1f2a2ace28e50bddb

SHA512
cb8917da1ba3994719478e478f909a2b2ea6baea892a84881d5fdb758e676007ade416a665df55d1036c66d2b6f867661c8418820a4ffb92100f08571b92e5c0

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe

Filesize
397KB

MD5
4b28f69651cad0cf7b6721a1adc2fc2f

SHA1
4d3bb8fc12637e60f136349209d98c5b0aa7fd0c

SHA256
8bdb66a1bc9530c2646bf789ecfae65d088c4e5d974359505fb13d539814d6d7

SHA512
6a84755b0d55e75f91f337c889bbfaf298c2fca1e2306d6edb8dbb6658c1a573eaf00080661cf98323c4edd205176f0ce6cdd761fab97c0afec9c6b7033d2260

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe

Filesize
397KB

MD5
e1c14d3f89517bdeeb066680390d3f1d

SHA1
f7d73dc5adccf8c62d3779bbd37b43c176ba4c9c

SHA256
6efa4b256389f40feb078ba82f9223079a2ee9caf82409a9a0728a94c70f4955

SHA512
172c77d81e23793e59500c5e9234f73e6354b7e792d6235f518441e3d2a3a03dfe828bbc299fac4f14ce6d279de898b017002e6d7cf9de0777c54a94e3b143a7

Download Submit
\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe

Filesize
397KB

MD5
e9c64a461c8462588c30c236b916e53b

SHA1
3193c22f6adcd634cff1cd9b8208dc81fbe750f2

SHA256
f83fbe077bb7444016584b302decea45ef2c1cb0b07f7a36ee29726e872e3eed

SHA512
b61471986ea7fc2ae18f2c993d9e96b680649d73980600475ce60b602cf754d91630957a3cb95761d690ecd8260c790a4a25dec2c29484b8f7935755777caf9e

Download Submit
memory/112-144-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/112-130-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/640-229-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/640-238-0x0000000001DE0000-0x0000000001E59000-memory.dmp

Filesize
484KB

Download
memory/640-244-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/888-113-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/888-126-0x0000000000500000-0x0000000000579000-memory.dmp

Filesize
484KB

Download
memory/888-129-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/908-310-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/908-382-0x0000000001E60000-0x0000000001ED9000-memory.dmp

Filesize
484KB

Download
memory/936-288-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/936-299-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1108-263-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1108-275-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1352-358-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1352-347-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1364-311-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1364-322-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1548-163-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1548-178-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1620-146-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1620-160-0x0000000001E60000-0x0000000001ED9000-memory.dmp

Filesize
484KB

Download
memory/1620-162-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1640-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1640-14-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1704-287-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1704-276-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1752-112-0x00000000006F0000-0x0000000000769000-memory.dmp

Filesize
484KB

Download
memory/1752-29-0x00000000006F0000-0x0000000000769000-memory.dmp

Filesize
484KB

Download
memory/1752-30-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1752-31-0x00000000006F0000-0x0000000000769000-memory.dmp

Filesize
484KB

Download
memory/1752-15-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1844-196-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1844-210-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1880-359-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1880-370-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2064-261-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2064-246-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2132-96-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2132-110-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2196-227-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2196-226-0x0000000000360000-0x00000000003D9000-memory.dmp

Filesize
484KB

Download
memory/2196-212-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2368-63-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2392-80-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2392-95-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2560-195-0x0000000000480000-0x00000000004F9000-memory.dmp

Filesize
484KB

Download
memory/2560-194-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2560-179-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2560-262-0x0000000000480000-0x00000000004F9000-memory.dmp

Filesize
484KB

Download
memory/2572-47-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2572-33-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2728-383-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2728-385-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2768-335-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2768-346-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2836-64-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2836-78-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2872-381-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2892-334-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2892-323-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads