858d317f3964f01347d8f8f9fa466bd211a275fa6ee070e1d8dc88410f84641c

Analysis

max time kernel
23s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57708da97d22a900d35456c4da086090N.exe
Size

324KB
MD5

57708da97d22a900d35456c4da086090
SHA1

8db5476a41d9c4ac9642a98ac0ddee3a24db53b4
SHA256

858d317f3964f01347d8f8f9fa466bd211a275fa6ee070e1d8dc88410f84641c
SHA512

05a54fb0be8e52fa79eae5b8c9abeb7d1056d1797849f3faa1a9a6d68855345b5cefbca2fde065d61051071071cbc23dd6b0589374dde79617502cbdc04c6a09
SSDEEP

6144:YhbZ5hMTNFf8LAurlEzAX7oEwfSZ4sXUzQI6FiqH1lO67:2tXMzqrllX73wfEI60qH1z

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2648	57708da97d22a900d35456c4da086090n_3202.exe
2628	57708da97d22a900d35456c4da086090n_3202a.exe
1628	57708da97d22a900d35456c4da086090n_3202b.exe
2780	57708da97d22a900d35456c4da086090n_3202c.exe
3000	57708da97d22a900d35456c4da086090n_3202d.exe
804	57708da97d22a900d35456c4da086090n_3202e.exe
2080	57708da97d22a900d35456c4da086090n_3202f.exe
2132	57708da97d22a900d35456c4da086090n_3202g.exe
2268	57708da97d22a900d35456c4da086090n_3202h.exe
1968	57708da97d22a900d35456c4da086090n_3202i.exe
1880	57708da97d22a900d35456c4da086090n_3202j.exe
1960	57708da97d22a900d35456c4da086090n_3202k.exe
2484	57708da97d22a900d35456c4da086090n_3202l.exe
2176	57708da97d22a900d35456c4da086090n_3202m.exe
2000	57708da97d22a900d35456c4da086090n_3202n.exe
880	57708da97d22a900d35456c4da086090n_3202o.exe
1524	57708da97d22a900d35456c4da086090n_3202p.exe
1300	57708da97d22a900d35456c4da086090n_3202q.exe
1520	57708da97d22a900d35456c4da086090n_3202r.exe
1732	57708da97d22a900d35456c4da086090n_3202s.exe
1648	57708da97d22a900d35456c4da086090n_3202t.exe
1544	57708da97d22a900d35456c4da086090n_3202u.exe
2444	57708da97d22a900d35456c4da086090n_3202v.exe
1036	57708da97d22a900d35456c4da086090n_3202w.exe
1564	57708da97d22a900d35456c4da086090n_3202x.exe
2748	57708da97d22a900d35456c4da086090n_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2200	57708da97d22a900d35456c4da086090N.exe
2200	57708da97d22a900d35456c4da086090N.exe
2648	57708da97d22a900d35456c4da086090n_3202.exe
2648	57708da97d22a900d35456c4da086090n_3202.exe
2628	57708da97d22a900d35456c4da086090n_3202a.exe
2628	57708da97d22a900d35456c4da086090n_3202a.exe
1628	57708da97d22a900d35456c4da086090n_3202b.exe
1628	57708da97d22a900d35456c4da086090n_3202b.exe
2780	57708da97d22a900d35456c4da086090n_3202c.exe
2780	57708da97d22a900d35456c4da086090n_3202c.exe
3000	57708da97d22a900d35456c4da086090n_3202d.exe
3000	57708da97d22a900d35456c4da086090n_3202d.exe
804	57708da97d22a900d35456c4da086090n_3202e.exe
804	57708da97d22a900d35456c4da086090n_3202e.exe
2080	57708da97d22a900d35456c4da086090n_3202f.exe
2080	57708da97d22a900d35456c4da086090n_3202f.exe
2132	57708da97d22a900d35456c4da086090n_3202g.exe
2132	57708da97d22a900d35456c4da086090n_3202g.exe
2268	57708da97d22a900d35456c4da086090n_3202h.exe
2268	57708da97d22a900d35456c4da086090n_3202h.exe
1968	57708da97d22a900d35456c4da086090n_3202i.exe
1968	57708da97d22a900d35456c4da086090n_3202i.exe
1880	57708da97d22a900d35456c4da086090n_3202j.exe
1880	57708da97d22a900d35456c4da086090n_3202j.exe
1960	57708da97d22a900d35456c4da086090n_3202k.exe
1960	57708da97d22a900d35456c4da086090n_3202k.exe
2484	57708da97d22a900d35456c4da086090n_3202l.exe
2484	57708da97d22a900d35456c4da086090n_3202l.exe
2176	57708da97d22a900d35456c4da086090n_3202m.exe
2176	57708da97d22a900d35456c4da086090n_3202m.exe
2000	57708da97d22a900d35456c4da086090n_3202n.exe
2000	57708da97d22a900d35456c4da086090n_3202n.exe
880	57708da97d22a900d35456c4da086090n_3202o.exe
880	57708da97d22a900d35456c4da086090n_3202o.exe
1524	57708da97d22a900d35456c4da086090n_3202p.exe
1524	57708da97d22a900d35456c4da086090n_3202p.exe
1300	57708da97d22a900d35456c4da086090n_3202q.exe
1300	57708da97d22a900d35456c4da086090n_3202q.exe
1520	57708da97d22a900d35456c4da086090n_3202r.exe
1520	57708da97d22a900d35456c4da086090n_3202r.exe
1732	57708da97d22a900d35456c4da086090n_3202s.exe
1732	57708da97d22a900d35456c4da086090n_3202s.exe
1648	57708da97d22a900d35456c4da086090n_3202t.exe
1648	57708da97d22a900d35456c4da086090n_3202t.exe
1544	57708da97d22a900d35456c4da086090n_3202u.exe
1544	57708da97d22a900d35456c4da086090n_3202u.exe
2444	57708da97d22a900d35456c4da086090n_3202v.exe
2444	57708da97d22a900d35456c4da086090n_3202v.exe
1036	57708da97d22a900d35456c4da086090n_3202w.exe
1036	57708da97d22a900d35456c4da086090n_3202w.exe
1564	57708da97d22a900d35456c4da086090n_3202x.exe
1564	57708da97d22a900d35456c4da086090n_3202x.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x000a000000012255-4.dat	upx
behavioral1/memory/2200-7-0x0000000000540000-0x000000000057B000-memory.dmp	upx
behavioral1/memory/2200-14-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0008000000015cb6-21.dat	upx
behavioral1/memory/2648-28-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2628-29-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0007000000015cda-36.dat	upx
behavioral1/memory/1628-44-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2628-43-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0007000000015cf4-51.dat	upx
behavioral1/memory/1628-58-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0007000000015d18-66.dat	upx
behavioral1/memory/3000-74-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2780-73-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x000a000000015d21-83.dat	upx
behavioral1/memory/3000-87-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0009000000015d29-95.dat	upx
behavioral1/memory/804-102-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2080-103-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0007000000017420-110.dat	upx
behavioral1/memory/2080-117-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0007000000017429-125.dat	upx
behavioral1/memory/2132-132-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0006000000017447-140.dat	upx
behavioral1/memory/2268-147-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0006000000017467-154.dat	upx
behavioral1/memory/1968-160-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0006000000017520-168.dat	upx
behavioral1/memory/1880-174-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x002b000000015c7b-182.dat	upx
behavioral1/memory/1960-190-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2484-203-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0009000000018617-199.dat	upx
behavioral1/files/0x0005000000018634-212.dat	upx
behavioral1/memory/2176-219-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0005000000018636-226.dat	upx
behavioral1/memory/2000-233-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/880-235-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/880-247-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1524-257-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1300-267-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1520-268-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1520-278-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1732-289-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1648-299-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1544-300-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1544-310-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2444-321-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1036-322-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1036-332-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1564-342-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2748-343-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202d.exe\""	57708da97d22a900d35456c4da086090n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202p.exe\""	57708da97d22a900d35456c4da086090n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202v.exe\""	57708da97d22a900d35456c4da086090n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202x.exe\""	57708da97d22a900d35456c4da086090n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202c.exe\""	57708da97d22a900d35456c4da086090n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202t.exe\""	57708da97d22a900d35456c4da086090n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202w.exe\""	57708da97d22a900d35456c4da086090n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202o.exe\""	57708da97d22a900d35456c4da086090n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202y.exe\""	57708da97d22a900d35456c4da086090n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202.exe\""	57708da97d22a900d35456c4da086090N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202a.exe\""	57708da97d22a900d35456c4da086090n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202f.exe\""	57708da97d22a900d35456c4da086090n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202g.exe\""	57708da97d22a900d35456c4da086090n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202k.exe\""	57708da97d22a900d35456c4da086090n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202b.exe\""	57708da97d22a900d35456c4da086090n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202r.exe\""	57708da97d22a900d35456c4da086090n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202n.exe\""	57708da97d22a900d35456c4da086090n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202s.exe\""	57708da97d22a900d35456c4da086090n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202u.exe\""	57708da97d22a900d35456c4da086090n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202i.exe\""	57708da97d22a900d35456c4da086090n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202m.exe\""	57708da97d22a900d35456c4da086090n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202e.exe\""	57708da97d22a900d35456c4da086090n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202h.exe\""	57708da97d22a900d35456c4da086090n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202j.exe\""	57708da97d22a900d35456c4da086090n_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202l.exe\""	57708da97d22a900d35456c4da086090n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\57708da97d22a900d35456c4da086090n_3202q.exe\""	57708da97d22a900d35456c4da086090n_3202p.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1461b1174fb47ff9	57708da97d22a900d35456c4da086090n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	57708da97d22a900d35456c4da086090n_3202d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2648	2200	57708da97d22a900d35456c4da086090N.exe	30
PID 2200 wrote to memory of 2648	2200	57708da97d22a900d35456c4da086090N.exe	30
PID 2200 wrote to memory of 2648	2200	57708da97d22a900d35456c4da086090N.exe	30
PID 2200 wrote to memory of 2648	2200	57708da97d22a900d35456c4da086090N.exe	30
PID 2648 wrote to memory of 2628	2648	57708da97d22a900d35456c4da086090n_3202.exe	31
PID 2648 wrote to memory of 2628	2648	57708da97d22a900d35456c4da086090n_3202.exe	31
PID 2648 wrote to memory of 2628	2648	57708da97d22a900d35456c4da086090n_3202.exe	31
PID 2648 wrote to memory of 2628	2648	57708da97d22a900d35456c4da086090n_3202.exe	31
PID 2628 wrote to memory of 1628	2628	57708da97d22a900d35456c4da086090n_3202a.exe	32
PID 2628 wrote to memory of 1628	2628	57708da97d22a900d35456c4da086090n_3202a.exe	32
PID 2628 wrote to memory of 1628	2628	57708da97d22a900d35456c4da086090n_3202a.exe	32
PID 2628 wrote to memory of 1628	2628	57708da97d22a900d35456c4da086090n_3202a.exe	32
PID 1628 wrote to memory of 2780	1628	57708da97d22a900d35456c4da086090n_3202b.exe	33
PID 1628 wrote to memory of 2780	1628	57708da97d22a900d35456c4da086090n_3202b.exe	33
PID 1628 wrote to memory of 2780	1628	57708da97d22a900d35456c4da086090n_3202b.exe	33
PID 1628 wrote to memory of 2780	1628	57708da97d22a900d35456c4da086090n_3202b.exe	33
PID 2780 wrote to memory of 3000	2780	57708da97d22a900d35456c4da086090n_3202c.exe	34
PID 2780 wrote to memory of 3000	2780	57708da97d22a900d35456c4da086090n_3202c.exe	34
PID 2780 wrote to memory of 3000	2780	57708da97d22a900d35456c4da086090n_3202c.exe	34
PID 2780 wrote to memory of 3000	2780	57708da97d22a900d35456c4da086090n_3202c.exe	34
PID 3000 wrote to memory of 804	3000	57708da97d22a900d35456c4da086090n_3202d.exe	35
PID 3000 wrote to memory of 804	3000	57708da97d22a900d35456c4da086090n_3202d.exe	35
PID 3000 wrote to memory of 804	3000	57708da97d22a900d35456c4da086090n_3202d.exe	35
PID 3000 wrote to memory of 804	3000	57708da97d22a900d35456c4da086090n_3202d.exe	35
PID 804 wrote to memory of 2080	804	57708da97d22a900d35456c4da086090n_3202e.exe	36
PID 804 wrote to memory of 2080	804	57708da97d22a900d35456c4da086090n_3202e.exe	36
PID 804 wrote to memory of 2080	804	57708da97d22a900d35456c4da086090n_3202e.exe	36
PID 804 wrote to memory of 2080	804	57708da97d22a900d35456c4da086090n_3202e.exe	36
PID 2080 wrote to memory of 2132	2080	57708da97d22a900d35456c4da086090n_3202f.exe	37
PID 2080 wrote to memory of 2132	2080	57708da97d22a900d35456c4da086090n_3202f.exe	37
PID 2080 wrote to memory of 2132	2080	57708da97d22a900d35456c4da086090n_3202f.exe	37
PID 2080 wrote to memory of 2132	2080	57708da97d22a900d35456c4da086090n_3202f.exe	37
PID 2132 wrote to memory of 2268	2132	57708da97d22a900d35456c4da086090n_3202g.exe	38
PID 2132 wrote to memory of 2268	2132	57708da97d22a900d35456c4da086090n_3202g.exe	38
PID 2132 wrote to memory of 2268	2132	57708da97d22a900d35456c4da086090n_3202g.exe	38
PID 2132 wrote to memory of 2268	2132	57708da97d22a900d35456c4da086090n_3202g.exe	38
PID 2268 wrote to memory of 1968	2268	57708da97d22a900d35456c4da086090n_3202h.exe	39
PID 2268 wrote to memory of 1968	2268	57708da97d22a900d35456c4da086090n_3202h.exe	39
PID 2268 wrote to memory of 1968	2268	57708da97d22a900d35456c4da086090n_3202h.exe	39
PID 2268 wrote to memory of 1968	2268	57708da97d22a900d35456c4da086090n_3202h.exe	39
PID 1968 wrote to memory of 1880	1968	57708da97d22a900d35456c4da086090n_3202i.exe	40
PID 1968 wrote to memory of 1880	1968	57708da97d22a900d35456c4da086090n_3202i.exe	40
PID 1968 wrote to memory of 1880	1968	57708da97d22a900d35456c4da086090n_3202i.exe	40
PID 1968 wrote to memory of 1880	1968	57708da97d22a900d35456c4da086090n_3202i.exe	40
PID 1880 wrote to memory of 1960	1880	57708da97d22a900d35456c4da086090n_3202j.exe	41
PID 1880 wrote to memory of 1960	1880	57708da97d22a900d35456c4da086090n_3202j.exe	41
PID 1880 wrote to memory of 1960	1880	57708da97d22a900d35456c4da086090n_3202j.exe	41
PID 1880 wrote to memory of 1960	1880	57708da97d22a900d35456c4da086090n_3202j.exe	41
PID 1960 wrote to memory of 2484	1960	57708da97d22a900d35456c4da086090n_3202k.exe	42
PID 1960 wrote to memory of 2484	1960	57708da97d22a900d35456c4da086090n_3202k.exe	42
PID 1960 wrote to memory of 2484	1960	57708da97d22a900d35456c4da086090n_3202k.exe	42
PID 1960 wrote to memory of 2484	1960	57708da97d22a900d35456c4da086090n_3202k.exe	42
PID 2484 wrote to memory of 2176	2484	57708da97d22a900d35456c4da086090n_3202l.exe	43
PID 2484 wrote to memory of 2176	2484	57708da97d22a900d35456c4da086090n_3202l.exe	43
PID 2484 wrote to memory of 2176	2484	57708da97d22a900d35456c4da086090n_3202l.exe	43
PID 2484 wrote to memory of 2176	2484	57708da97d22a900d35456c4da086090n_3202l.exe	43
PID 2176 wrote to memory of 2000	2176	57708da97d22a900d35456c4da086090n_3202m.exe	44
PID 2176 wrote to memory of 2000	2176	57708da97d22a900d35456c4da086090n_3202m.exe	44
PID 2176 wrote to memory of 2000	2176	57708da97d22a900d35456c4da086090n_3202m.exe	44
PID 2176 wrote to memory of 2000	2176	57708da97d22a900d35456c4da086090n_3202m.exe	44
PID 2000 wrote to memory of 880	2000	57708da97d22a900d35456c4da086090n_3202n.exe	45
PID 2000 wrote to memory of 880	2000	57708da97d22a900d35456c4da086090n_3202n.exe	45
PID 2000 wrote to memory of 880	2000	57708da97d22a900d35456c4da086090n_3202n.exe	45
PID 2000 wrote to memory of 880	2000	57708da97d22a900d35456c4da086090n_3202n.exe	45

C:\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090N.exe
"C:\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200
- \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202.exe
  c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2648
- - \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202a.exe
    c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202b.exe
      c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1628
    - - \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202c.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202d.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202e.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202f.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202g.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202h.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202i.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202j.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202k.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202l.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202m.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202n.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202o.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:880
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202p.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1524
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202q.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1300
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202r.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1520
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202s.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1732
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202t.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1648
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202u.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1544
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202v.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:2444
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202w.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1036
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202x.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        
        PID:1564
        
        \??\c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202y.exe
        
        c:\users\admin\appdata\local\temp\57708da97d22a900d35456c4da086090n_3202y.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202.exe

Filesize
324KB

MD5
f39c43ae14ac1628e13abf281f5aa21a

SHA1
42d535142c5dce3f79f9654a9b75193edfd7a271

SHA256
0073f9c4bba53b985ee30794772cd60f4ef872dec8e6735c5b4c68fa6d64041d

SHA512
413440d11a47900aaee45737bd809ed05acdfc1e8f69c83dbbecc0ece8fdc15912db7b0d0858c2ad5e4341009fa2632bd6cf3c9dcb7a62d039a9999fc1099754

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202a.exe

Filesize
324KB

MD5
df3fceac89f152afb9a9d896b9a74949

SHA1
2ca39e6ff9ec5caa06ad8139fabbed1613dceac6

SHA256
b664d1369ee46a61c32b2dfe0339daec3cfc5bd79ee6d27d415fe3f23d49c37c

SHA512
07c8aed5ee98e4734146f2d854317ef04583213d6d37cff9e548ea923a47b93a5f4e026abb67a046c2340be0eb03f63a12002f2385aba5d2be55fbe4e97c37f2

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202b.exe

Filesize
324KB

MD5
d1314174f59567054bda211ec3e6d872

SHA1
67ba624fc04657231433b97928c957dc874966d1

SHA256
685950aae82bb80456295925dea690a5ad4806286ddf210e8b321c9dcc3ee7e9

SHA512
141830256fe680d19028d085471de342d1998fd01f9d857f5a457393fd5d620597e30e99d2acd93884db86cfd18ac38060215116ead7dea250e7656c8de5d543

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202c.exe

Filesize
325KB

MD5
479d5e1748705ad50f3b9a466a66e260

SHA1
743859584a899a23066588dedef2ef67890f3bbf

SHA256
e0c96565718c075b8c23a187efacde8d08ff180b035cd79b1560244931f4a55e

SHA512
bcdb4ed97e8181caadbb644040f057fb1cfd5657c9da06aa94721a1a0e24271e04bff5df9b7b96faa2a958c8d5787200b255ddf3897cc7baf9db497035fca8d5

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202d.exe

Filesize
325KB

MD5
a719cd9a37a40b5bc08212778fad6ef5

SHA1
d3d1705bc8c71acc9ff0ff9483ac6eb86007f94c

SHA256
d912078937ffb0d28ab8df66b7d6b2f8c4124e58616a18c5b6d517af5f34ad51

SHA512
ad36eec7677b27779b4a35af513a302eb4b924c5e160adee2a823569750edc029c4d8c2488c3440012827b2abec9f48b997e24b3dbbf8bc2ea339dab02d82eaf

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202e.exe

Filesize
325KB

MD5
32bed8ed5f4481e22f0531aab35ce8a5

SHA1
21f99d3b2531dd1a316de7c3d364dd3cc158da02

SHA256
7247682f2d9d3e90792e5c3a01945a383eca7fad742571b1e1403e427d7ffec0

SHA512
ea9960699b2d3d043de5f80c3aeb7e327eb42eea6df6f5deeff35f5a76b8228c44122705b2cd9a2b22da3f10b131f351e62064b27f7be1fe806e184b02951ba8

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202f.exe

Filesize
325KB

MD5
73f194199ef3d84e1f26baaaa1453ac9

SHA1
1aae439b982550704410f5c2a4a048a63d5aef82

SHA256
cd9bcce928849aaf7aaa0e229869f5d90e12b9a06d84fccfa727c5fca55f7795

SHA512
f0bd358183b45e87cc5976a1a22c9d408997604a9048eda53ba9e471203b58ce774400650038638cf048ebd72960970e9f7b8a52c913c73a03dc5ab2f06d4452

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202g.exe

Filesize
326KB

MD5
35b1a2c39ca119f3a16473c8ac8937bb

SHA1
e29e8a6950f259a395bdcf1f2812599612c048b2

SHA256
95a0c734b2efee40c433e1e44cce8d26923f176bfabce9d24b45fe5c4684ae62

SHA512
0c0bb722b28fd066083a67c17412590e034010688f12c46d8bd1261ebcd9e0dd37fbfa992b57f7e299a0b7b23a55283fd337f989fc8f9c0b822f214b8e154620

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202h.exe

Filesize
326KB

MD5
1675862c62149d9ea98c4a67bff9416a

SHA1
3515ab68f6b3d89a9d817da509757b0e4885a213

SHA256
540453c6289b164cb805390ad332eb8642c6b37fb9db976bd7b48400e83a3982

SHA512
001fa78e43407d022eb518f1fea7455bd08d685fb0ea88e2a41e57fd89b0c1180336661123684f5aa6b571b829155fabab857bd33fd27f6973f4d335911053b3

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202i.exe

Filesize
326KB

MD5
28af7fe61a5f5a310d7963ccf3552b92

SHA1
f5b45217c8f9703a534483a0d67f44fa3777dbcd

SHA256
1ddd6704e6073975ce912c2e778c25caf1f025deb2cc9724fa6fefdd30a2e008

SHA512
0a43844db720ddcee72c7edc5b846dca095bf67ab1ba395c450e61e5fd00d60e767e611a1240cf7a5a0a6f8b4ede4b6a4958b09c24e3ac9b5b616508972bd2d8

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202j.exe

Filesize
326KB

MD5
63a1ebc44d2f5af02a848e0bbbc3d0ec

SHA1
d73af2ffe91900e45654e0965ae6db6fdfe523b4

SHA256
2dd2c62658bcd5add0e4d9374776fa74384612f339d3fd43dd3f436d2fa89356

SHA512
f64635d1788d6d92437fd0c697cf9751b9c99cfe1d961f1dbab2e8258b094f87f593b3ace4a7041b77975ce659cc35e1431b89b98a8ff980f10d5bb61b4eadb0

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202k.exe

Filesize
327KB

MD5
dffd8fe8b9f97284046d0e8e6b3d836b

SHA1
1ded7e8d44b02d33662c1037b021f9dfa50c8511

SHA256
ab0b7719b1d33cd26230f5d91631d0de72f497b62e293a753d4233ba6ac7931b

SHA512
6988946bc10b619d6744efb0ff1c0143b184bad3c216998a7834ce5922ededfd9ab3c05a283fde1ce37ab1d27bb368d611210225742b0f3fc4fd5077c2d03715

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202l.exe

Filesize
327KB

MD5
3dd32ae2fc6f3933bb33790fb5a14acb

SHA1
1144801b31976bb996383ebbac75bb1a6c203224

SHA256
eebcc5b90f4ee0d5166d0d9e39e4e0cc4e23781579d7e7b7ef5612e2fcd50e3c

SHA512
808f8198eb0cc266ec6ebb4d0cd7664007629ed916deb5bbc575d6d9c74f86834ae8db7c1bb78df1140191863a70d78a735fd63bb6825398774a79c37bd64ae6

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202m.exe

Filesize
327KB

MD5
a9fe9be8c58df2922e5d85fa470939ac

SHA1
3192ca7e5145399e04af96aff3b575308e4288fd

SHA256
4c9809679bfae7a98b7aa8e95161447208064ff2d1010a01a8a311b201901caa

SHA512
0db0c3cc2d49e3bedb29d6e12f570968dfaa83cd9488f7da610f43b626f8c7d7503e5c968ddb5989090e929d1139be94e817977ac6f782533e4ad12600ec2fc1

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202n.exe

Filesize
327KB

MD5
9ffa98c10db69bae9005db002f4f5893

SHA1
e5d3c5a5593698da8fd700a9f0f5c5037c0d08de

SHA256
a36215e87659b8e467f3e3f1e7fbec9c99a843e76c2b1de8260f26c149214076

SHA512
57e9b098156cc4a8a117a29ef0c9a485e4242060320a58844e1a214022ce416e5a82eabaa0a24f6cb01588ad114df938d4fd98eda39fb26882286787987d3d6f

Download Submit
\Users\Admin\AppData\Local\Temp\57708da97d22a900d35456c4da086090n_3202o.exe

Filesize
327KB

MD5
bfba3d56638958609f7f56c6ee938a1c

SHA1
779e5fb1d57e2220a0b0c01fd11394fb6c7b5be3

SHA256
bb14ff4bd8b2fceaf6024ac903db47f8f6bab966c247e7f6158351207600e89a

SHA512
65899c991d1ee9d6c31b7d3cd78f2f9bb0f22d6865fa856811c4c0d37c379111dd206929a19bda6a3d854c9f7722a82df3855bd2c1b03f2e8195a934081c9dd7

Download Submit
memory/804-102-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/880-247-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/880-235-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/880-246-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/1036-322-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1036-332-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1300-267-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1520-278-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1520-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1524-257-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1544-300-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1544-311-0x00000000003B0000-0x00000000003EB000-memory.dmp

Filesize
236KB

Download
memory/1544-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1564-342-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1628-53-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1628-44-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1648-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1732-288-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/1732-289-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-174-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-190-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-187-0x00000000002D0000-0x000000000030B000-memory.dmp

Filesize
236KB

Download
memory/1968-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2000-228-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2000-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2080-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2080-112-0x0000000000370000-0x00000000003AB000-memory.dmp

Filesize
236KB

Download
memory/2080-103-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2132-205-0x0000000000340000-0x000000000037B000-memory.dmp

Filesize
236KB

Download
memory/2132-131-0x0000000000340000-0x000000000037B000-memory.dmp

Filesize
236KB

Download
memory/2132-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2176-219-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2200-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2200-7-0x0000000000540000-0x000000000057B000-memory.dmp

Filesize
236KB

Download
memory/2200-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2268-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2444-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2484-203-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-29-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-43-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2648-28-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2748-343-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2780-73-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3000-87-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3000-74-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads