3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361

Analysis

max time kernel
93s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 20:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361.exe
Size

535KB
MD5

957859f63d137f5ddf71d7d8fba923c6
SHA1

aae220e82d4122a77b9c1c898afd02df7674af41
SHA256

3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361
SHA512

980739a31bce928d34cf7a20f125276c160a710612165be2905eb0b5f1781b1c301a445c4dd5ee1445e0bd134edb74baa43d0de3188bdd75fc7562eddb05f894
SSDEEP

6144:phbZ5hMTNFf8LAurlEzAX7orwfSZ4sXUzQIQfVKezcdwgC:jtXMzqrllX7EwfEIQt9

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1360	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe
1112	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe
2944	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe
4676	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe
4456	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe
2036	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe
3928	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe
4836	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe
2908	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe
4276	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe
4008	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe
876	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe
4876	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe
456	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe
3896	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe
4680	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe
436	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe
1844	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe
848	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe
1248	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe
5012	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202t.exe
2308	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202u.exe
4040	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202v.exe
4844	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202w.exe
2196	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202x.exe
3600	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202y.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4640-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x000800000002343a-5.dat	upx
behavioral2/memory/4640-14-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1112-34-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2944-44-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4676-43-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2036-73-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2908-92-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x0007000000023456-221.dat	upx
behavioral2/memory/3600-241-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2196-240-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4844-236-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4040-228-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2308-218-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/5012-210-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1248-200-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/848-191-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1844-183-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/436-173-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4680-164-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3896-156-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/456-146-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4876-137-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/876-128-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4008-119-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4276-111-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2908-101-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4836-91-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3928-82-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4456-64-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2036-63-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4676-54-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4456-53-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2944-33-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1112-24-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1360-23-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 398a36dbd1003d68	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202y.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 1360	4640	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361.exe	84
PID 4640 wrote to memory of 1360	4640	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361.exe	84
PID 4640 wrote to memory of 1360	4640	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361.exe	84
PID 1360 wrote to memory of 1112	1360	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe	85
PID 1360 wrote to memory of 1112	1360	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe	85
PID 1360 wrote to memory of 1112	1360	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe	85
PID 1112 wrote to memory of 2944	1112	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe	86
PID 1112 wrote to memory of 2944	1112	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe	86
PID 1112 wrote to memory of 2944	1112	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe	86
PID 2944 wrote to memory of 4676	2944	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe	87
PID 2944 wrote to memory of 4676	2944	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe	87
PID 2944 wrote to memory of 4676	2944	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe	87
PID 4676 wrote to memory of 4456	4676	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe	88
PID 4676 wrote to memory of 4456	4676	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe	88
PID 4676 wrote to memory of 4456	4676	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe	88
PID 4456 wrote to memory of 2036	4456	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe	89
PID 4456 wrote to memory of 2036	4456	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe	89
PID 4456 wrote to memory of 2036	4456	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe	89
PID 2036 wrote to memory of 3928	2036	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe	90
PID 2036 wrote to memory of 3928	2036	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe	90
PID 2036 wrote to memory of 3928	2036	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe	90
PID 3928 wrote to memory of 4836	3928	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe	91
PID 3928 wrote to memory of 4836	3928	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe	91
PID 3928 wrote to memory of 4836	3928	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe	91
PID 4836 wrote to memory of 2908	4836	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe	92
PID 4836 wrote to memory of 2908	4836	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe	92
PID 4836 wrote to memory of 2908	4836	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe	92
PID 2908 wrote to memory of 4276	2908	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe	93
PID 2908 wrote to memory of 4276	2908	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe	93
PID 2908 wrote to memory of 4276	2908	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe	93
PID 4276 wrote to memory of 4008	4276	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe	94
PID 4276 wrote to memory of 4008	4276	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe	94
PID 4276 wrote to memory of 4008	4276	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe	94
PID 4008 wrote to memory of 876	4008	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe	95
PID 4008 wrote to memory of 876	4008	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe	95
PID 4008 wrote to memory of 876	4008	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe	95
PID 876 wrote to memory of 4876	876	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe	96
PID 876 wrote to memory of 4876	876	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe	96
PID 876 wrote to memory of 4876	876	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe	96
PID 4876 wrote to memory of 456	4876	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe	97
PID 4876 wrote to memory of 456	4876	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe	97
PID 4876 wrote to memory of 456	4876	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe	97
PID 456 wrote to memory of 3896	456	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe	98
PID 456 wrote to memory of 3896	456	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe	98
PID 456 wrote to memory of 3896	456	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe	98
PID 3896 wrote to memory of 4680	3896	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe	99
PID 3896 wrote to memory of 4680	3896	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe	99
PID 3896 wrote to memory of 4680	3896	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe	99
PID 4680 wrote to memory of 436	4680	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe	100
PID 4680 wrote to memory of 436	4680	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe	100
PID 4680 wrote to memory of 436	4680	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe	100
PID 436 wrote to memory of 1844	436	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe	101
PID 436 wrote to memory of 1844	436	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe	101
PID 436 wrote to memory of 1844	436	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe	101
PID 1844 wrote to memory of 848	1844	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe	102
PID 1844 wrote to memory of 848	1844	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe	102
PID 1844 wrote to memory of 848	1844	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe	102
PID 848 wrote to memory of 1248	848	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe	103
PID 848 wrote to memory of 1248	848	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe	103
PID 848 wrote to memory of 1248	848	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe	103
PID 1248 wrote to memory of 5012	1248	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe	104
PID 1248 wrote to memory of 5012	1248	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe	104
PID 1248 wrote to memory of 5012	1248	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe	104
PID 5012 wrote to memory of 2308	5012	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202t.exe	105

C:\Users\Admin\AppData\Local\Temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361.exe
"C:\Users\Admin\AppData\Local\Temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640
- \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe
  c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1360
- - \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe
    c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe
      c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2944
    - - \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202t.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202u.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2308
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202v.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4040
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202w.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:4844
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202x.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2196
        
        \??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202y.exe
        
        c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe

Filesize
535KB

MD5
2746a7126491d1c68040b7c43904cb66

SHA1
37a1c277288943cbe6b5e5a66ce65f6ddc83d135

SHA256
fd25ee340e01a60ca425a072c89914f892618dc8d490d0ee9d0bc684da4f6c5e

SHA512
9ffc1c342cab78ec90e86dece4d4e92f978a7f6bdd3c57e2fad232f9f62e68194a08c12576c34bf599bd9042e86ba4c720ee102a9468a82f83f817c392920def

Download Submit
\??\c:\users\admin\appdata\local\temp\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202w.exe

Filesize
535KB

MD5
78cf25c828e72627848901545140f7e7

SHA1
aec68504a16c7fd2b30e2e533eccc7b1a9ab8f47

SHA256
9918a05db5c25ca9cce5a5ac6539e162dc27fbc99e11a7321c6e014a4148a3e6

SHA512
47201fc02ae84f492de059a90eb3998fdb752661388950c412e247d813e390e36021a7993e192eaba9fc80778198fb80a0c41159f4e8649b30b9449959ed26fc

Download Submit
memory/436-173-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/456-146-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/848-191-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/876-128-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1112-34-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1112-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-200-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1360-23-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1844-183-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-73-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2196-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2308-218-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2908-101-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2908-92-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2944-33-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2944-44-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3600-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3896-156-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3928-82-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4008-119-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4040-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4276-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4456-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4456-53-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4640-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4640-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4676-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4676-43-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4680-164-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4836-91-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4844-236-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4876-137-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5012-210-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202b.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202f.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202v.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202d.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202k.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202t.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202j.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202a.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202y.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202n.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202r.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202x.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202q.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202u.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202w.exe\""	3c9601a7f800e8629c5512c7d66ad01e179ff9d8184b7b5ee223034ab5adb361_3202v.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads