ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe
Size

470KB
MD5

60085578db6aea3b565e3674e65bb399
SHA1

67a5fd9645b2266f106b4fd097a2adb1dab42fa7
SHA256

ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95
SHA512

58fd0731538e8fff2bb0ec5ae48d925c45d2dd262328ab7c54dee565e70db0c1f633a4b387f61255594f5a829e97ee4f772b3f811993d66b347a87a50bf2b1b9
SSDEEP

6144:CqppuGRYx4H712f/SBTpzZA6rXD40b+7TJDAMyyNFSlfyveN56/:CqpNtb1YIp9AI4FDAMyyN

Score

9^/10

persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 56 IoCs

resource	yara_rule
behavioral1/memory/1728-0-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x000c000000015cd2-5.dat	UPX
behavioral1/memory/1972-16-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1728-15-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0031000000015d39-23.dat	UPX
behavioral1/memory/1972-30-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0007000000015f23-38.dat	UPX
behavioral1/memory/2580-46-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0007000000015fa6-53.dat	UPX
behavioral1/memory/2676-60-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0007000000016013-68.dat	UPX
behavioral1/memory/2696-76-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/2396-83-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/2396-92-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0007000000016122-90.dat	UPX
behavioral1/files/0x00090000000161ee-99.dat	UPX
behavioral1/files/0x0008000000016cfd-115.dat	UPX
behavioral1/memory/2452-114-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/2860-107-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/2452-124-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1880-125-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0006000000016d06-132.dat	UPX
behavioral1/memory/1880-139-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/292-141-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0031000000015d59-148.dat	UPX
behavioral1/memory/292-155-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0006000000016d10-163.dat	UPX
behavioral1/memory/1616-171-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/340-176-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0006000000016d18-179.dat	UPX
behavioral1/memory/340-186-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0006000000016d21-196.dat	UPX
behavioral1/memory/1540-201-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0006000000016d29-209.dat	UPX
behavioral1/memory/2060-216-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0006000000016d31-225.dat	UPX
behavioral1/memory/1744-233-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1404-240-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/files/0x0006000000016d81-241.dat	UPX
behavioral1/memory/1404-250-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1144-251-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1144-262-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1128-268-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1128-274-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/980-275-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/980-286-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1304-292-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1304-298-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/800-309-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1648-321-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1244-332-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1432-343-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/2784-348-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1508-354-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/1508-360-0x0000000000400000-0x0000000000442000-memory.dmp	UPX
behavioral1/memory/2496-361-0x0000000000400000-0x0000000000442000-memory.dmp	UPX

Executes dropped EXE 25 IoCs

pid	Process
1972	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe
2580	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe
2676	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe
2696	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe
2396	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe
2860	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe
2452	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe
1880	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe
292	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe
1616	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe
340	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe
1540	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe
2060	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe
1744	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe
1404	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe
1144	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe
1128	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202p.exe
980	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202q.exe
1304	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202r.exe
800	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202s.exe
1648	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202t.exe
1244	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202u.exe
1432	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202v.exe
2784	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202w.exe
2496	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202y.exe

Loads dropped DLL 50 IoCs

pid	Process
1728	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe
1728	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe
1972	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe
1972	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe
2580	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe
2580	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe
2676	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe
2676	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe
2696	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe
2696	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe
2396	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe
2396	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe
2860	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe
2860	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe
2452	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe
2452	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe
1880	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe
1880	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe
292	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe
292	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe
1616	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe
1616	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe
340	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe
340	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe
1540	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe
1540	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe
2060	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe
2060	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe
1744	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe
1744	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe
1404	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe
1404	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe
1144	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe
1144	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe
1128	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202p.exe
1128	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202p.exe
980	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202q.exe
980	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202q.exe
1304	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202r.exe
1304	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202r.exe
800	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202s.exe
800	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202s.exe
1648	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202t.exe
1648	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202t.exe
1244	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202u.exe
1244	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202u.exe
1432	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202v.exe
1432	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202v.exe
1508	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202x.exe
1508	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = fa5d2c24d168feec	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = e88054a0bd926185	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1972	1728	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe	29
PID 1728 wrote to memory of 1972	1728	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe	29
PID 1728 wrote to memory of 1972	1728	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe	29
PID 1728 wrote to memory of 1972	1728	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe	29
PID 1972 wrote to memory of 2580	1972	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe	30
PID 1972 wrote to memory of 2580	1972	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe	30
PID 1972 wrote to memory of 2580	1972	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe	30
PID 1972 wrote to memory of 2580	1972	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe	30
PID 2580 wrote to memory of 2676	2580	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe	31
PID 2580 wrote to memory of 2676	2580	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe	31
PID 2580 wrote to memory of 2676	2580	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe	31
PID 2580 wrote to memory of 2676	2580	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe	31
PID 2676 wrote to memory of 2696	2676	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe	32
PID 2676 wrote to memory of 2696	2676	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe	32
PID 2676 wrote to memory of 2696	2676	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe	32
PID 2676 wrote to memory of 2696	2676	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe	32
PID 2696 wrote to memory of 2396	2696	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe	33
PID 2696 wrote to memory of 2396	2696	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe	33
PID 2696 wrote to memory of 2396	2696	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe	33
PID 2696 wrote to memory of 2396	2696	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe	33
PID 2396 wrote to memory of 2860	2396	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe	34
PID 2396 wrote to memory of 2860	2396	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe	34
PID 2396 wrote to memory of 2860	2396	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe	34
PID 2396 wrote to memory of 2860	2396	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe	34
PID 2860 wrote to memory of 2452	2860	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe	35
PID 2860 wrote to memory of 2452	2860	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe	35
PID 2860 wrote to memory of 2452	2860	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe	35
PID 2860 wrote to memory of 2452	2860	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe	35
PID 2452 wrote to memory of 1880	2452	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe	36
PID 2452 wrote to memory of 1880	2452	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe	36
PID 2452 wrote to memory of 1880	2452	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe	36
PID 2452 wrote to memory of 1880	2452	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe	36
PID 1880 wrote to memory of 292	1880	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe	37
PID 1880 wrote to memory of 292	1880	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe	37
PID 1880 wrote to memory of 292	1880	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe	37
PID 1880 wrote to memory of 292	1880	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe	37
PID 292 wrote to memory of 1616	292	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe	38
PID 292 wrote to memory of 1616	292	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe	38
PID 292 wrote to memory of 1616	292	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe	38
PID 292 wrote to memory of 1616	292	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe	38
PID 1616 wrote to memory of 340	1616	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe	39
PID 1616 wrote to memory of 340	1616	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe	39
PID 1616 wrote to memory of 340	1616	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe	39
PID 1616 wrote to memory of 340	1616	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe	39
PID 340 wrote to memory of 1540	340	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe	40
PID 340 wrote to memory of 1540	340	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe	40
PID 340 wrote to memory of 1540	340	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe	40
PID 340 wrote to memory of 1540	340	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe	40
PID 1540 wrote to memory of 2060	1540	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe	41
PID 1540 wrote to memory of 2060	1540	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe	41
PID 1540 wrote to memory of 2060	1540	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe	41
PID 1540 wrote to memory of 2060	1540	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe	41
PID 2060 wrote to memory of 1744	2060	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe	42
PID 2060 wrote to memory of 1744	2060	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe	42
PID 2060 wrote to memory of 1744	2060	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe	42
PID 2060 wrote to memory of 1744	2060	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe	42
PID 1744 wrote to memory of 1404	1744	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe	43
PID 1744 wrote to memory of 1404	1744	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe	43
PID 1744 wrote to memory of 1404	1744	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe	43
PID 1744 wrote to memory of 1404	1744	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe	43
PID 1404 wrote to memory of 1144	1404	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe	44
PID 1404 wrote to memory of 1144	1404	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe	44
PID 1404 wrote to memory of 1144	1404	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe	44
PID 1404 wrote to memory of 1144	1404	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe	44

C:\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe
"C:\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728
- \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe
  c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1972
- - \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe
    c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe
      c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2676
    - - \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1144
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202p.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1128
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202q.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:980
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202r.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1304
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202s.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:800
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202t.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1648
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202u.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1244
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202v.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1432
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202w.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2784
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202x.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202x.exe
        26⤵
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1508
        
        \??\c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202y.exe
        
        c:\users\admin\appdata\local\temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe

Filesize
470KB

MD5
d8e2572573910c74882f029ea32bf449

SHA1
62bae54c3df8b1a27882a628993eeea45deb4196

SHA256
fb6fd4c6fc274ea3e95d40d951d41e701c2f95bbbd8be589dd1c22e090f0b6d2

SHA512
123e20419dabab955517592991bd3776e214124d6fd376505569d8de12d2f522d985f1b55cfc8d461cd2b05230f44a702ff3f332300ac5d7d02bf0fc8d5b90c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe

Filesize
472KB

MD5
abfdd9bcdb139008c55d1fcede655a27

SHA1
601a6e88b0a353a257caaeedb0ce1a97d3231a20

SHA256
fb2229b17b174dd3049689dbbc9dd8208e0ae5b6c4d9a871d656eb406b6f28fd

SHA512
36ddf12ba1ac85104df2aef279a7f8f26f561dfd0856e44e7498fda804058a79a93b1bb2872669894726290012f65511d33f308e25ea4d2930e5c170ec99f858

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe

Filesize
471KB

MD5
d7adb8d1158da55794fd77e3d5e07544

SHA1
d5a3d5db78ed166b80506926d990bd29cf8ed8b5

SHA256
2e41fba1af9d5de4aabe8cfcac12739cef3ed67276066fb2e05b4a7bd34d2165

SHA512
f8426c7cbd03f5d6cd026931936c3ce9c1d5f637ed638e68202797d33157a0fd183dc27b6f85e37f3f0ed712576345a15d1faa39b8cca4ece7c3df2729e1b364

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe

Filesize
471KB

MD5
fbc14407c031145787c426b16872a282

SHA1
c6bd538c782af0ba2d05b1a266d31de8a2e96b0e

SHA256
f61e069b24043ced39f8ddb2ca1ac395aec8c2cb4600c1fafffa70150f63b51f

SHA512
c7efbc5e052507ae211ea360d72dcb8b58905d948b17654468e2c7c4b980e6a22122f67ac77d1785e7df196032c19a9ee416764d335af71ccf4ca0bded7b912d

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe

Filesize
471KB

MD5
761557d4708dfd9f491042139a37d00f

SHA1
6d29c242d6657f5e284181942737832da1ba1715

SHA256
1f2c7afc4704e2ee546ac8d6df0ca90d9a1fc392509ef8eb46cd267213a98221

SHA512
8b3304004536c4cb015820a6b8f135149ce3644d5f80986f23c95d92a3400ad0eeb3d54bfbd1fcd024d1312373135e07b9006dbd38da9b9b27b8c67a0ff976e0

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe

Filesize
471KB

MD5
f140ad710a119fe6b1fdcc09697f74f3

SHA1
d8a119dd3ef4350288ba4670d287438026ba5460

SHA256
a090bef29a3fc5fe2b163797e161243b4d891a0ec2f298c12627cf30f13d5e97

SHA512
414a31df68cc3c4d4604abcb494ec8720916c8a51c4b6ac3cc420e669104a58416fb6b37b5dd63e1950b1d354683a5de569919ef3647be221aba44deb01bdb89

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe

Filesize
472KB

MD5
6151a3edd135bfafc253047876d326ab

SHA1
821a3cfff6e6135d85532dd4d4e9459f78455a1e

SHA256
43acc8478ffa58e89fae1cda3da3e39298140d656ffa72b4110edc457250811c

SHA512
f1ba657a3a5485937d93f1a086c5c4e44c2775ba82d291325903900447428a0f6baa06505cd55034587870086ae8f8d805df592e6b5beb8522668433431b885f

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe

Filesize
472KB

MD5
12535addd79da0a872175def6e36350b

SHA1
a1b6efa4880a423159500a62e1630d8ae410424e

SHA256
2907eb7095c5feef6b42062f1a7ce760100f6a15f6fd9c0459d7b2ef292159ff

SHA512
fd5a5eb2f6ae0e7bc373f7f0f48d4280b4051d32c0448997802e19778dc30359550226a7a3d7ef806542812068982c09de2ea8047402a48af5d34e173f6c6e5b

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe

Filesize
472KB

MD5
e50c9b3d6d218bba83b30d29fdccb0c9

SHA1
c1fc792f3310e3ce7b8d6d265c50f51054cda47f

SHA256
78bd4c34cf3870896e81e4442e984306f5d3f76b5db8595e83dc4b464e9dd6b3

SHA512
ebf94753d115ac845e01df17cee0ea81cd2517ea134d492b61f5dce9e3b8573fd838add731074e46648f44de13a9ede762b61f86c11fa208f2bb01b93c50f76e

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe

Filesize
472KB

MD5
e8d15606271d62afdcec7b1baa9567e4

SHA1
ed72cf2d0f6421f70791db320fd67fd5b497fbda

SHA256
3b58be33e76aa195b63876ccf6da1d1c2b2f7b947a143f94b01b283f59efdee9

SHA512
f80d5fbd2eb77b90fb503c7e68a045a3566708e9c044661a82e45fcfb27a1b664a5594ca123e667df3af0c2bd7b3e907e8214abc56d33b24fe0ec12f546ebe2f

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe

Filesize
473KB

MD5
aaa6c00b85c0bccf109b5e0ea9e106a2

SHA1
f9ad686017ddab6e85794f4a73a6dade7dc9e68b

SHA256
ad286b33d73ad3ea788fbad29924342bd4b3d759368e14ab8fcbaab80e9ccb6d

SHA512
fba35c97adc5914e458ec55c2ceaee6b81c2f008e7aaa555673be814ac9d463ecfed29e54dad9e5a901f5e199e6cc6a0ff971f38f3476be762f46b7e40b7c0c0

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe

Filesize
473KB

MD5
913fea3240c5580905f611d9d2e94829

SHA1
b86a0595534c3650df49ef0b22538470808291a3

SHA256
65df800222f28d7a491f944663ba3b27812bef6cc85483068a6a0d3b1439daec

SHA512
e13f197089ef0b25942743ddf000aac4d34c868c7c655a5e66a3a9aa6635e6f691af4d1920022e19a6dc66089b056b1a678decddecbee2b70f9f8831662aa92b

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe

Filesize
473KB

MD5
84271fc84e61bed7c25dae3365f2bdc4

SHA1
b46fc48880ac46e1613bc5d805dc886c1e78070b

SHA256
5c72916c117e930ffc2db2e1fa51e5eaabf7fb65996df7ca904479608aef04dc

SHA512
d61267fcf336931d1426e0bf8109fdf036c3784096ac8d95607a2b96c8503aadf67f15f2d6d9dd5c48b1953c36458ba63c08c8b49069679a69010a3a16fda001

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe

Filesize
473KB

MD5
c45921ce222ec23bbbe7dfea5734d083

SHA1
2896811e16e51a672e2c40062113dd372b8a9653

SHA256
7257b41897e7b7b007fc1f3e74e28d7aaf75e428c2cd9db190d02ecff7f3d172

SHA512
0b5539786cdc220106df308c6fa4261ed346c4ef92d9f6796b4613c2410d742b7a3bf0494b25b60aa235468eda671f1ae8f4240800425402b7829b812406624f

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe

Filesize
474KB

MD5
dc27b4e07e5a586fdd2dd9d4f09f8f64

SHA1
77216e9f1928d55c1dc33b0ace76b1152728fb76

SHA256
1679506df981a2126b7f29836a15be81ebe466dfc1c1a2d7a6957deb218ef274

SHA512
f856960fd8bb67d740914b91489c324e6b849a0b5fe381559698348e1687e099c34ff2d43ba66ffd8ce89778e6b3fc8e61232c4c3b88fd3ae90e5245221bd47e

Download Submit
\Users\Admin\AppData\Local\Temp\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe

Filesize
474KB

MD5
202604562a3f226c109b18e8e7a60396

SHA1
e128a291c6c4a1b0ada13fc52ef8604109970b75

SHA256
c87caf36445e67f32cb1bb06f7e6970c5f8fda982f0079e97ff76ec4863f52b3

SHA512
05f23f74461ec5f3c1c3c4fcc9a7942c6b84e8b521356171f0655bb20db6878034847779fa275a461f07ad11e978c856e3e1ccff2719f3b59bb3e0c8632e88f5

Download Submit
memory/292-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/292-155-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/340-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/340-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/800-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/980-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1128-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1144-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1244-332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1304-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1304-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-250-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-247-0x0000000001C70000-0x0000000001CB2000-memory.dmp

Filesize
264KB

Download
memory/1404-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1432-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1508-360-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1540-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1616-171-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1648-321-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1648-316-0x0000000000390000-0x00000000003D2000-memory.dmp

Filesize
264KB

Download
memory/1728-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-8-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/1744-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1880-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1880-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1972-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1972-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2060-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2060-217-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/2396-92-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-114-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2452-117-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/2496-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2580-46-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2696-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2784-345-0x00000000771E0000-0x00000000772FF000-memory.dmp

Filesize
1.1MB

Download
memory/2784-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2784-347-0x00000000003A0000-0x00000000003E2000-memory.dmp

Filesize
264KB

Download
memory/2784-346-0x00000000770E0000-0x00000000771DA000-memory.dmp

Filesize
1000KB

Download
memory/2860-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202p.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202y.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202q.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202j.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202r.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202v.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202a.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202e.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202w.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202o.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202x.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202d.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202l.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202t.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202u.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202i.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202n.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202s.exe\""	ec6c0c599e5d0cc59893e8140dda75114e4c1cdefd3b6f0bf7371d25004a5e95_3202r.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads