0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 19:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
Size

393KB
MD5

8be9348d4e44974fc85d4b23d59a85b4
SHA1

0a1559b085a6aa54a69c72923f69bac206bbd340
SHA256

0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d
SHA512

3a0c3e22e188709ff13ab5d63f13f2eaa301b386129b60bc8561fab796c341539ac2c83eea8d4604b505f0b699b3504d13d8c2bb7e02439421fb01c1bbcc394c
SSDEEP

6144:it03a62hzpSNxV2qcJVLNyTiY6wDyIJ2r/bDh:Os52hzpHq8eTi30yIQrDDh

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 36 IoCs

resource	yara_rule
behavioral2/memory/3752-8-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2768-20-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1680-26-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1680-31-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3236-32-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3236-41-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4328-50-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3588-60-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1524-62-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1524-72-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1068-83-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4008-92-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3676-101-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/1552-113-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4272-114-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4272-124-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/396-133-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/624-136-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/624-144-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/4628-154-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2096-162-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2096-167-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2848-177-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2984-185-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3732-193-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3732-196-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2476-207-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2896-214-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2896-218-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/2692-228-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/400-238-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3032-250-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3384-251-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/3384-260-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/748-271-0x0000000000400000-0x0000000000479000-memory.dmp	UPX
behavioral2/memory/916-273-0x0000000000400000-0x0000000000479000-memory.dmp	UPX

Executes dropped EXE 26 IoCs

pid	Process
2768	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
1680	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
3236	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
4328	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
3588	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
1524	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
1068	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
4008	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
3676	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
1552	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
4272	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
396	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
624	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
4628	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
2096	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
2848	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
2984	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
3732	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
2476	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
2896	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
2692	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
400	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
3032	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
3384	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
748	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
916	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e6b0a0386d121efc	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 2768	3752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe	81
PID 3752 wrote to memory of 2768	3752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe	81
PID 3752 wrote to memory of 2768	3752	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe	81
PID 2768 wrote to memory of 1680	2768	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe	82
PID 2768 wrote to memory of 1680	2768	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe	82
PID 2768 wrote to memory of 1680	2768	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe	82
PID 1680 wrote to memory of 3236	1680	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe	83
PID 1680 wrote to memory of 3236	1680	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe	83
PID 1680 wrote to memory of 3236	1680	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe	83
PID 3236 wrote to memory of 4328	3236	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe	87
PID 3236 wrote to memory of 4328	3236	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe	87
PID 3236 wrote to memory of 4328	3236	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe	87
PID 4328 wrote to memory of 3588	4328	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe	88
PID 4328 wrote to memory of 3588	4328	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe	88
PID 4328 wrote to memory of 3588	4328	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe	88
PID 3588 wrote to memory of 1524	3588	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe	89
PID 3588 wrote to memory of 1524	3588	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe	89
PID 3588 wrote to memory of 1524	3588	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe	89
PID 1524 wrote to memory of 1068	1524	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe	90
PID 1524 wrote to memory of 1068	1524	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe	90
PID 1524 wrote to memory of 1068	1524	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe	90
PID 1068 wrote to memory of 4008	1068	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe	91
PID 1068 wrote to memory of 4008	1068	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe	91
PID 1068 wrote to memory of 4008	1068	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe	91
PID 4008 wrote to memory of 3676	4008	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe	92
PID 4008 wrote to memory of 3676	4008	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe	92
PID 4008 wrote to memory of 3676	4008	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe	92
PID 3676 wrote to memory of 1552	3676	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe	93
PID 3676 wrote to memory of 1552	3676	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe	93
PID 3676 wrote to memory of 1552	3676	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe	93
PID 1552 wrote to memory of 4272	1552	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe	94
PID 1552 wrote to memory of 4272	1552	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe	94
PID 1552 wrote to memory of 4272	1552	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe	94
PID 4272 wrote to memory of 396	4272	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe	95
PID 4272 wrote to memory of 396	4272	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe	95
PID 4272 wrote to memory of 396	4272	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe	95
PID 396 wrote to memory of 624	396	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe	96
PID 396 wrote to memory of 624	396	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe	96
PID 396 wrote to memory of 624	396	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe	96
PID 624 wrote to memory of 4628	624	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe	97
PID 624 wrote to memory of 4628	624	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe	97
PID 624 wrote to memory of 4628	624	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe	97
PID 4628 wrote to memory of 2096	4628	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe	98
PID 4628 wrote to memory of 2096	4628	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe	98
PID 4628 wrote to memory of 2096	4628	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe	98
PID 2096 wrote to memory of 2848	2096	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe	99
PID 2096 wrote to memory of 2848	2096	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe	99
PID 2096 wrote to memory of 2848	2096	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe	99
PID 2848 wrote to memory of 2984	2848	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe	100
PID 2848 wrote to memory of 2984	2848	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe	100
PID 2848 wrote to memory of 2984	2848	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe	100
PID 2984 wrote to memory of 3732	2984	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe	101
PID 2984 wrote to memory of 3732	2984	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe	101
PID 2984 wrote to memory of 3732	2984	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe	101
PID 3732 wrote to memory of 2476	3732	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe	102
PID 3732 wrote to memory of 2476	3732	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe	102
PID 3732 wrote to memory of 2476	3732	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe	102
PID 2476 wrote to memory of 2896	2476	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe	103
PID 2476 wrote to memory of 2896	2476	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe	103
PID 2476 wrote to memory of 2896	2476	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe	103
PID 2896 wrote to memory of 2692	2896	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe	104
PID 2896 wrote to memory of 2692	2896	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe	104
PID 2896 wrote to memory of 2692	2896	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe	104
PID 2692 wrote to memory of 400	2692	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe	105

C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
"C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3752
- \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
  c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2768
- - \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
    c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
      c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3236
    - - \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
      - \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:400
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3032
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3384
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:748
        
        \??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe
        
        c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe

Filesize
393KB

MD5
64e41e38e085862645c217d76977a981

SHA1
cdb9d34618a7c4a9223432860a1d92ea859567b9

SHA256
ece4d6ef9b6cb734afb48dc57b555ce622a3c51090d1e85e45c609207343cf8b

SHA512
060b3d463c015f536374e1f893a4c747c6d9d8a2491c36b036538a8f6677336c9cc892a146ce92b0c666911d1ecb378bff2d9678cdb5d9207c033760d2e7f54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe

Filesize
394KB

MD5
f9061776b29ef96b9b28f18df407dc79

SHA1
d06fb098308f2d4130aaa9269a5e674a3afdee5f

SHA256
872989402325a1c90fbe27f8fa95caaef568ee1e6a5f61cf0237259f334e81e3

SHA512
56485f9ef8f37a1cc4d91c26ea7106f033333c8b64843bdf5f83d35dd4af4422a1147c68bbb0862eef8827e6c5d7844fdd759fa2ebb4b7819ce7a18ae486b987

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe

Filesize
394KB

MD5
8c8e03bcd2b80a4df90c91709f484c51

SHA1
d9a6d57229ce99cff466a45729d1cfcb15257e80

SHA256
2960e2754dee8ab93f0aadcda79e8a00927d296cfbd21e724e6a7ffa9b5e2d24

SHA512
6b66e75cb4fe8387fb9032866c147875adbfabf0863aaa70b4cb89b2096c3447861df890acd23d58e077fcc2f400e4635b07af68c45e958e25de40c118d813dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe

Filesize
394KB

MD5
3e8cdb6d7079369b874ebf02e04a71d1

SHA1
669a72599f4187470115d58d3e7cda60ee59ba2a

SHA256
5649b9633e6b4bf88b589823e98e07fd7602e4484fa2f3612b940a5f4bd5887a

SHA512
a669ad4608b8d13b2734a83bc5eea13987ca2ae0854fd5a1efdfc9b261183154c824dc548a72a8b46a54d8499de8ed95aab7f4ace989f0ae4f6fafd062eb55ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe

Filesize
395KB

MD5
ce5bf1932e055bc75c115dbb84b28693

SHA1
75256b84ca79bce5ed6bcc7046475071aa546bdd

SHA256
097240331841f9ec3e95f0c65684ef76b145a29075fcfba28c77369c38415e95

SHA512
945063521fe41afc0d79c39030a2c0b67ccedddaa090c557e7dd681c2ab9c660b167f4b70f28fd4adbdd2a51a32ce56ca56d3be242c3b9877723ce8fbf135149

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe

Filesize
396KB

MD5
1cda89ac16e276dfac1598b0d393b44d

SHA1
17eccdbea9fd508c99d228a215994c40d7516a20

SHA256
4692e23a66c791abd36ca8eb12c3ee3d9b2d3c4aeb0ebae5665028b47339cc82

SHA512
4d793a6052b93a7584dcdf3154abd6a200a3e4dd761e04d847012f270960efb3ebd63c651945f82166a3fcdf8df8f15407ccb2b4ea7daceca889a7a8070a7e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe

Filesize
396KB

MD5
add5df5c62ae6cdf499595146d2cc39e

SHA1
52c034211ee3323990665e0495eb8f3cd22fa44d

SHA256
5de0a069abbd05a5c0bc0b9a9859e6d6de42e9e2b016d455c5758eb29e9bc36f

SHA512
864ffee8c4bdd687f2468721a825c65425190d3132ab62b0e4a9c41fb3f7c132aa081d596fe3a65a860c1c942b478e11c8903d024eb8413a13c7f748b7542820

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe

Filesize
396KB

MD5
cfbedc551de0606d068796826b9b8b39

SHA1
faae33623e0d603a6dfbbb3f3eb56931fda01302

SHA256
e00715513ac17a02d6a7b85f75c076906ef7496658083ede92ea628997ae45dc

SHA512
b3a7094934b1623ca486421eaa91db078b29990182fb0a724809c76d4b58b218033e7c1cf3407038fbde238987a4f0051bd40463b2ff9bd89e85255aeeb41d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe

Filesize
396KB

MD5
32dd8e08dbe15b403375524966f07ca6

SHA1
62efe75ee9c2ea525ccdfecc8b756c283041e23d

SHA256
513aa5a92a83872cc2a8c5a6f15c7ac657e3a1b5fac292e4f37fd84d6f25ac29

SHA512
ef1e079e4091ebb2138a3b1e82f76a6226f271a2f17bdbe466f46f27dda840edbd3f561f269cabd7390e57fbf3f339c5237849fe09e8f252ec444b8fbaa278fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe

Filesize
397KB

MD5
7142c457a942cb80f3dac5a7b816317f

SHA1
48c9a8f63c45d482c93aef69c0ccea3a19428dcb

SHA256
8a31e7156beff8f51e9508f7c82417289b46e270b0352775e3bd4aa097759532

SHA512
fb7fb39c3d31ba2b13ae2e510261e61ef22d13b8079f2c219a3d27b99758756991dba52664b2aa64896434d0e926d06b6bfa1401eb42157e55bfb9d8814f7c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe

Filesize
397KB

MD5
e7583d27b71f998882b40cb2f698547b

SHA1
d41dbeb6dee1a9861b354d664e7e442388d45691

SHA256
c5e78dd9fe57b21a0aa1c3e6b8263251ca7af51fcaf7b78817bb86e58332ac5d

SHA512
9731f49188ca00fc79af86154990e9249794444a59dd9a710356ef3de0d04794d45a1523912506fb2a0ac6752d35d521ceed352be8500009a6131ed3c701203f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe

Filesize
397KB

MD5
d790f878728773d2da5e29afff4a1734

SHA1
2974bcf833b4edc9018e1dc7ec5a25df06d22505

SHA256
7b680056ce149bcc2f849abcab553e9350a03e6d4201295852c681bac47ac0f3

SHA512
d4907a5c9a2bdbd64ccef12bab165c6895b59fb1988247b0b3aac3740252a23ae177853337c3d6a7d53ee405a1942ccee5e56aea93fa3bec940419683511c1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe

Filesize
397KB

MD5
4f6d25293579672b823d6fdadae9902a

SHA1
88f87144069f443871747a8e733db287683ac193

SHA256
95f41ca2b83d8776450ca68bc8d926574c404dc9c7ae8fa635e7e23189b96fb7

SHA512
82355a58eca6db1a55ccceef87357bcd605a5d92b064c51548191eaaa1b11e3a78f9e4fee8a605fd4cf91c44a61341634a6daa2b2d00796eb37b9392912730a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe

Filesize
398KB

MD5
2a0f36a1ce78e723408b0f3e28d9b5f8

SHA1
71cb737c623fc8dbcbae1da729edc61d4a6e2255

SHA256
853ce459ab0c10b02943b4890e39e172b2d2db1cd2ea61a4cefe9d37a0eee9be

SHA512
dcfbac379e3f2f1ae8aa7e1eb67c87820f62044fb4382e4989d9512ca69571bc0e107fbf73156d1addef29f5868f226cc9d857bf2d8d7e127d3254618021a4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe

Filesize
399KB

MD5
d3e407d697a0b2b881b8b72b70c66050

SHA1
a224fc3950ae754dc9f3991ed900f083d48beedc

SHA256
a21ba98e3edcdbec696c60560831f943a6ca21390083ae922de21011d47ac8e8

SHA512
ae27a3da991bfe8527c45b82473752286bb2e083958974f659083180af68fe66693d5fc2d33542c0a5f00f8841bc46805c6a8c505b7bb0637d159d959d56b9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe

Filesize
399KB

MD5
d16993305f27f376f291208006dd2d92

SHA1
717acfe49165593495f0d4b3ef478a0169d0e401

SHA256
3aad81a49d4aac17f7567decc3b534fd167ca4f452f917ca1f9746f5f7af22cd

SHA512
44327cf48bad53a7d5545f7e58c26fa97773ca8b80039138080553f2084cbb81e50e1474feeec7fc9077bc15eb123d37ab828820ebb4e9ef48df006af25e082c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe

Filesize
399KB

MD5
d6a87c06f35c6a0b5490d7475c33a7b7

SHA1
2df9760945afcc1f827a48e7d23f7f23ac0824f6

SHA256
31637cea1e441f5eb0c5bca82c29d9327beb0931e1ec810b4a80cfc8e486c854

SHA512
0d1ebce75bbd7dd571552718991297b84ae5b9d574acfa8bf239cd8d6a1b5cc2b72d929a3188c0a01de267650a8ba7a2a054ddac0a0eff4d5ef1a6eb85ea050d

Download Submit
\??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe

Filesize
394KB

MD5
6ba3e72b47ac76f58fb1abf0abdefa15

SHA1
39546849210aa3e53a9ea7319baf3d2f5264e973

SHA256
8add3b956c796bb92331ccd68c213697400dc5796df0bdfa6f751ef370ad151d

SHA512
8f59c3be645419626d557bc447a5c0bbc2c05dd5670b85a54fb35b6f8a51b382f53d1a8c18ac21c51f04e067f1016e1719467eb8e853b970d189e533838bf966

Download Submit
\??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe

Filesize
395KB

MD5
571fae8f2582d78e9a03df63e8d89e92

SHA1
a95edb690b5e3af3ec5f711de4ab88632261cfa4

SHA256
5c48d09591de3d8a714b06cd9f68be56a1ee3ec9f2c0d265f662daa7dc3b6dc7

SHA512
4fffb0783c99762736789d59635705952439ad869c0e475c331496fd21115f253f00ca529b98b80cf50e4fb149157b759b2c86fd5dea21575b16204ed0892448

Download Submit
\??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe

Filesize
395KB

MD5
be0f81dfe373abb62b1d44339247e851

SHA1
e160c84ad4e32b658656e910800c4f366016208e

SHA256
dfc718ec036e6d8280de8a9d5bc7287f90b19afab835e460736d0efd3fef63d8

SHA512
9e004bd920c88ca2137744c3f1504f5e2b27c3fe1691dd512f205233ffd12436d04aa4ad0d5c47239c575c28702dd045eee243ea1643739165a2e552dd3da959

Download Submit
\??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe

Filesize
395KB

MD5
f4307c0752e33156fd5d326328d9c5b9

SHA1
55c4e6adfd5ab7ed51723c8c60cb89cb743a40ee

SHA256
fce5fc89c39b6ec408425ac31f8fed60bcb69664d7f14139451a5653d3bb0d14

SHA512
4b9465129649fcb7a07301d8cfb3789bbc36dfa33a18f30a71b64bd03c1339db2f7230a3db7b1830f29a5f57b5ad388d8f887de9f028fcb27769c1972dfdc9aa

Download Submit
\??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe

Filesize
397KB

MD5
20107d4aa7503f8b704cff9353cc51e9

SHA1
b9935cc762415c497e9a14cb298f531aa1458017

SHA256
928aeb14dc278aa1d92a11ebe6de2e8c3097a2bc07532df2f91684bedad5fa9c

SHA512
78d6a7c7b2eefd0a8307716234fa7530ad34106d4b1f2114f96032619b51d848a02b4404303570658bd1b7d46e1da7eb20d7af4c8d8b5a9bf272e4d518e2ca80

Download Submit
\??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe

Filesize
398KB

MD5
f07672d862da453c3ebc5da0a4ab5342

SHA1
e4ef25401ae680d74dd5654724cf6fa22d5768c7

SHA256
40029059ad6fb8c9c570a5109276abc92c5b59b8d467e945991efefe5b87b447

SHA512
27a758cfc121ffb324796131e533e8f624234096c2567bba37eef1d40fc02f378b613baf045389598c4598b010fd84747795673df64b0f0430d069586c6e7e25

Download Submit
\??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe

Filesize
398KB

MD5
852f35cd7bd5736d6d91a5c7f4311321

SHA1
3254a42659ec2b604d28f508b7ad5cbc1441925c

SHA256
6134e228d67c7afc8110a198abfefdac32c47b7b1d78a143c00f02c6ddf4947f

SHA512
8ad3cff41c5387fc322afb3e25a5e89311e8077ae8709d7c83254975a020edf1d84e09cab5e49865f7eee583f726eedcd6a9e5c6b8b80cbc5eae65ed40e7dcb2

Download Submit
\??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe

Filesize
398KB

MD5
7c88bc6e601b540f43bc4a3a9b0138e2

SHA1
0c762c13d22bedb13494164733a014e9983090ba

SHA256
11013baedf2f18b9f8c8a328f398ab7a30c331b0c73cab9716c4335da0cb2318

SHA512
a23b4f6d06481b6e568441559efb5d7c4771d538182185c90fd2684615570da2aae13c15c2da51b995c837cc921861e58b61110fa7a85426fc176a4e9f0a25ec

Download Submit
\??\c:\users\admin\appdata\local\temp\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe

Filesize
399KB

MD5
c5abfbdceb4a9c872c938c12ab89028d

SHA1
15bf23855a30e30562a2976bb0fbac38d8aa2fec

SHA256
af5591a02c676ad1048e13324ef2b69746cae63655467706e6f675c3357bfb5a

SHA512
1310d8ecc9d0bcad28773023c8e22fb5d9b824e18123b2a4818dad7c1ac9ca679564effa532d2cdaf2fbb14f9ecf9d58f5e259f4bf184d3ab27ca1157f657ead

Download Submit
memory/396-125-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/396-133-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/400-238-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/624-144-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/624-136-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/748-271-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/916-273-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1068-83-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1068-73-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1524-72-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1524-62-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1552-113-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1680-26-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1680-31-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2096-162-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2096-167-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2476-207-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2692-228-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2768-9-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2768-20-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2848-177-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2896-218-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2896-214-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2984-185-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3032-250-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3032-240-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3236-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3236-41-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3384-251-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3384-260-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3588-60-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3676-101-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3732-193-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3732-196-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3752-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3752-8-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4008-92-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4272-124-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4272-114-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4328-50-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4628-154-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202t.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202r.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202d.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202m.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202o.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202q.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202h.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202c.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202y.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202l.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202v.exe\""	0f78693c5a1dfddb8a9b98db177abae1972b5a0f0f6b7a05edbcadb91db48f9d_3202u.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads