a81af2a99d9ae6883730d9e8d798b053c946c8ed6fdcac66f653b2f91bba94af

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9070d619125867ffee89e8a25d26b3d0N.exe
Size

359KB
MD5

9070d619125867ffee89e8a25d26b3d0
SHA1

d6ff0eeea545797641e148be1b6307715f53a017
SHA256

a81af2a99d9ae6883730d9e8d798b053c946c8ed6fdcac66f653b2f91bba94af
SHA512

f593a81c7fc2c97ff694ba4735b25f41ea58e42b4f3ce520de818671ec57f718d88a6bdf118947bd8a0252e8b34f26a598815d555c9389e8329d32c17d47446c
SSDEEP

6144:vhbZ5hMTNFf8LAurlEzAX7oAwfSZ4sXUzQIKS:ZtXMzqrllX7XwfEI1

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

9070d619125867ffee89e8a25d26b3d0n_3202.exe9070d619125867ffee89e8a25d26b3d0n_3202a.exe9070d619125867ffee89e8a25d26b3d0n_3202b.exe9070d619125867ffee89e8a25d26b3d0n_3202c.exe9070d619125867ffee89e8a25d26b3d0n_3202d.exe9070d619125867ffee89e8a25d26b3d0n_3202e.exe9070d619125867ffee89e8a25d26b3d0n_3202f.exe9070d619125867ffee89e8a25d26b3d0n_3202g.exe9070d619125867ffee89e8a25d26b3d0n_3202h.exe9070d619125867ffee89e8a25d26b3d0n_3202i.exe9070d619125867ffee89e8a25d26b3d0n_3202j.exe9070d619125867ffee89e8a25d26b3d0n_3202k.exe9070d619125867ffee89e8a25d26b3d0n_3202l.exe9070d619125867ffee89e8a25d26b3d0n_3202m.exe9070d619125867ffee89e8a25d26b3d0n_3202n.exe9070d619125867ffee89e8a25d26b3d0n_3202o.exe9070d619125867ffee89e8a25d26b3d0n_3202p.exe9070d619125867ffee89e8a25d26b3d0n_3202q.exe9070d619125867ffee89e8a25d26b3d0n_3202r.exe9070d619125867ffee89e8a25d26b3d0n_3202s.exe9070d619125867ffee89e8a25d26b3d0n_3202t.exe9070d619125867ffee89e8a25d26b3d0n_3202u.exe9070d619125867ffee89e8a25d26b3d0n_3202v.exe9070d619125867ffee89e8a25d26b3d0n_3202w.exe9070d619125867ffee89e8a25d26b3d0n_3202x.exe9070d619125867ffee89e8a25d26b3d0n_3202y.exe

pid	process
2788	9070d619125867ffee89e8a25d26b3d0n_3202.exe
2848	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
2816	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
3016	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
1444	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
1744	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
2100	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
1964	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
484	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
2988	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
1020	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
2192	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
2292	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
2136	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
1836	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
1568	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
992	9070d619125867ffee89e8a25d26b3d0n_3202p.exe
1700	9070d619125867ffee89e8a25d26b3d0n_3202q.exe
2488	9070d619125867ffee89e8a25d26b3d0n_3202r.exe
2304	9070d619125867ffee89e8a25d26b3d0n_3202s.exe
2948	9070d619125867ffee89e8a25d26b3d0n_3202t.exe
2308	9070d619125867ffee89e8a25d26b3d0n_3202u.exe
1936	9070d619125867ffee89e8a25d26b3d0n_3202v.exe
2436	9070d619125867ffee89e8a25d26b3d0n_3202w.exe
2716	9070d619125867ffee89e8a25d26b3d0n_3202x.exe
2684	9070d619125867ffee89e8a25d26b3d0n_3202y.exe

Loads dropped DLL 52 IoCs

Processes:

9070d619125867ffee89e8a25d26b3d0N.exe9070d619125867ffee89e8a25d26b3d0n_3202.exe9070d619125867ffee89e8a25d26b3d0n_3202a.exe9070d619125867ffee89e8a25d26b3d0n_3202b.exe9070d619125867ffee89e8a25d26b3d0n_3202c.exe9070d619125867ffee89e8a25d26b3d0n_3202d.exe9070d619125867ffee89e8a25d26b3d0n_3202e.exe9070d619125867ffee89e8a25d26b3d0n_3202f.exe9070d619125867ffee89e8a25d26b3d0n_3202g.exe9070d619125867ffee89e8a25d26b3d0n_3202h.exe9070d619125867ffee89e8a25d26b3d0n_3202i.exe9070d619125867ffee89e8a25d26b3d0n_3202j.exe9070d619125867ffee89e8a25d26b3d0n_3202k.exe9070d619125867ffee89e8a25d26b3d0n_3202l.exe9070d619125867ffee89e8a25d26b3d0n_3202m.exe9070d619125867ffee89e8a25d26b3d0n_3202n.exe9070d619125867ffee89e8a25d26b3d0n_3202o.exe9070d619125867ffee89e8a25d26b3d0n_3202p.exe9070d619125867ffee89e8a25d26b3d0n_3202q.exe9070d619125867ffee89e8a25d26b3d0n_3202r.exe9070d619125867ffee89e8a25d26b3d0n_3202s.exe9070d619125867ffee89e8a25d26b3d0n_3202t.exe9070d619125867ffee89e8a25d26b3d0n_3202u.exe9070d619125867ffee89e8a25d26b3d0n_3202v.exe9070d619125867ffee89e8a25d26b3d0n_3202w.exe9070d619125867ffee89e8a25d26b3d0n_3202x.exe

pid	process
2656	9070d619125867ffee89e8a25d26b3d0N.exe
2656	9070d619125867ffee89e8a25d26b3d0N.exe
2788	9070d619125867ffee89e8a25d26b3d0n_3202.exe
2788	9070d619125867ffee89e8a25d26b3d0n_3202.exe
2848	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
2848	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
2816	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
2816	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
3016	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
3016	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
1444	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
1444	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
1744	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
1744	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
2100	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
2100	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
1964	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
1964	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
484	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
484	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
2988	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
2988	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
1020	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
1020	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
2192	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
2192	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
2292	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
2292	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
2136	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
2136	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
1836	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
1836	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
1568	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
1568	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
992	9070d619125867ffee89e8a25d26b3d0n_3202p.exe
992	9070d619125867ffee89e8a25d26b3d0n_3202p.exe
1700	9070d619125867ffee89e8a25d26b3d0n_3202q.exe
1700	9070d619125867ffee89e8a25d26b3d0n_3202q.exe
2488	9070d619125867ffee89e8a25d26b3d0n_3202r.exe
2488	9070d619125867ffee89e8a25d26b3d0n_3202r.exe
2304	9070d619125867ffee89e8a25d26b3d0n_3202s.exe
2304	9070d619125867ffee89e8a25d26b3d0n_3202s.exe
2948	9070d619125867ffee89e8a25d26b3d0n_3202t.exe
2948	9070d619125867ffee89e8a25d26b3d0n_3202t.exe
2308	9070d619125867ffee89e8a25d26b3d0n_3202u.exe
2308	9070d619125867ffee89e8a25d26b3d0n_3202u.exe
1936	9070d619125867ffee89e8a25d26b3d0n_3202v.exe
1936	9070d619125867ffee89e8a25d26b3d0n_3202v.exe
2436	9070d619125867ffee89e8a25d26b3d0n_3202w.exe
2436	9070d619125867ffee89e8a25d26b3d0n_3202w.exe
2716	9070d619125867ffee89e8a25d26b3d0n_3202x.exe
2716	9070d619125867ffee89e8a25d26b3d0n_3202x.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2656-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\9070d619125867ffee89e8a25d26b3d0n_3202.exe	upx
behavioral1/memory/2656-12-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2788-14-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2848-35-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2788-27-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2848-38-0x0000000000290000-0x00000000002CA000-memory.dmp	upx
behavioral1/memory/2848-44-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2816-45-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2816-58-0x0000000000400000-0x000000000043A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\9070d619125867ffee89e8a25d26b3d0n_3202d.exe	upx
behavioral1/memory/1444-74-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/3016-72-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1444-88-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1744-103-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2100-104-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2100-118-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1964-132-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/484-133-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2988-148-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/484-146-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1020-164-0x0000000000400000-0x000000000043A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\9070d619125867ffee89e8a25d26b3d0n_3202k.exe	upx
behavioral1/memory/2192-178-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1836-225-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/992-251-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1700-272-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2304-294-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2948-305-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2716-338-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2436-337-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2684-350-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2684-349-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2716-348-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2436-327-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1936-326-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1936-321-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2308-315-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2948-295-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2488-283-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2488-278-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1700-262-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/992-261-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1568-250-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1568-239-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1836-237-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2136-222-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2136-209-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2292-206-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2292-194-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2192-191-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1020-176-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2988-161-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9070d619125867ffee89e8a25d26b3d0n_3202a.exe9070d619125867ffee89e8a25d26b3d0n_3202d.exe9070d619125867ffee89e8a25d26b3d0n_3202j.exe9070d619125867ffee89e8a25d26b3d0n_3202u.exe9070d619125867ffee89e8a25d26b3d0n_3202x.exe9070d619125867ffee89e8a25d26b3d0n_3202g.exe9070d619125867ffee89e8a25d26b3d0n_3202q.exe9070d619125867ffee89e8a25d26b3d0n_3202t.exe9070d619125867ffee89e8a25d26b3d0n_3202v.exe9070d619125867ffee89e8a25d26b3d0n_3202.exe9070d619125867ffee89e8a25d26b3d0n_3202c.exe9070d619125867ffee89e8a25d26b3d0n_3202f.exe9070d619125867ffee89e8a25d26b3d0n_3202i.exe9070d619125867ffee89e8a25d26b3d0n_3202m.exe9070d619125867ffee89e8a25d26b3d0n_3202b.exe9070d619125867ffee89e8a25d26b3d0n_3202r.exe9070d619125867ffee89e8a25d26b3d0n_3202w.exe9070d619125867ffee89e8a25d26b3d0n_3202k.exe9070d619125867ffee89e8a25d26b3d0n_3202p.exe9070d619125867ffee89e8a25d26b3d0n_3202s.exe9070d619125867ffee89e8a25d26b3d0n_3202e.exe9070d619125867ffee89e8a25d26b3d0n_3202l.exe9070d619125867ffee89e8a25d26b3d0n_3202n.exe9070d619125867ffee89e8a25d26b3d0n_3202o.exe9070d619125867ffee89e8a25d26b3d0N.exe9070d619125867ffee89e8a25d26b3d0n_3202h.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202b.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202e.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202k.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202v.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202y.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202h.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202r.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202u.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202w.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202a.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202d.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202g.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202j.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202n.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202c.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202s.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202x.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202l.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202q.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202t.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202f.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202m.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202o.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202p.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202.exe\""	9070d619125867ffee89e8a25d26b3d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\9070d619125867ffee89e8a25d26b3d0n_3202i.exe\""	9070d619125867ffee89e8a25d26b3d0n_3202h.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9070d619125867ffee89e8a25d26b3d0n_3202x.exe9070d619125867ffee89e8a25d26b3d0n_3202d.exe9070d619125867ffee89e8a25d26b3d0n_3202n.exe9070d619125867ffee89e8a25d26b3d0n_3202r.exe9070d619125867ffee89e8a25d26b3d0n_3202s.exe9070d619125867ffee89e8a25d26b3d0n_3202g.exe9070d619125867ffee89e8a25d26b3d0n_3202i.exe9070d619125867ffee89e8a25d26b3d0n_3202k.exe9070d619125867ffee89e8a25d26b3d0N.exe9070d619125867ffee89e8a25d26b3d0n_3202b.exe9070d619125867ffee89e8a25d26b3d0n_3202c.exe9070d619125867ffee89e8a25d26b3d0n_3202h.exe9070d619125867ffee89e8a25d26b3d0n_3202e.exe9070d619125867ffee89e8a25d26b3d0n_3202j.exe9070d619125867ffee89e8a25d26b3d0n_3202t.exe9070d619125867ffee89e8a25d26b3d0n_3202y.exe9070d619125867ffee89e8a25d26b3d0n_3202a.exe9070d619125867ffee89e8a25d26b3d0n_3202m.exe9070d619125867ffee89e8a25d26b3d0n_3202w.exe9070d619125867ffee89e8a25d26b3d0n_3202.exe9070d619125867ffee89e8a25d26b3d0n_3202o.exe9070d619125867ffee89e8a25d26b3d0n_3202p.exe9070d619125867ffee89e8a25d26b3d0n_3202q.exe9070d619125867ffee89e8a25d26b3d0n_3202f.exe9070d619125867ffee89e8a25d26b3d0n_3202l.exe9070d619125867ffee89e8a25d26b3d0n_3202u.exe9070d619125867ffee89e8a25d26b3d0n_3202v.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9070d619125867ffee89e8a25d26b3d0n_3202v.exe

Modifies registry class 54 IoCs

Processes:

9070d619125867ffee89e8a25d26b3d0n_3202s.exe9070d619125867ffee89e8a25d26b3d0n_3202x.exe9070d619125867ffee89e8a25d26b3d0N.exe9070d619125867ffee89e8a25d26b3d0n_3202f.exe9070d619125867ffee89e8a25d26b3d0n_3202p.exe9070d619125867ffee89e8a25d26b3d0n_3202r.exe9070d619125867ffee89e8a25d26b3d0n_3202g.exe9070d619125867ffee89e8a25d26b3d0n_3202h.exe9070d619125867ffee89e8a25d26b3d0n_3202w.exe9070d619125867ffee89e8a25d26b3d0n_3202a.exe9070d619125867ffee89e8a25d26b3d0n_3202e.exe9070d619125867ffee89e8a25d26b3d0n_3202c.exe9070d619125867ffee89e8a25d26b3d0n_3202j.exe9070d619125867ffee89e8a25d26b3d0n_3202l.exe9070d619125867ffee89e8a25d26b3d0n_3202t.exe9070d619125867ffee89e8a25d26b3d0n_3202i.exe9070d619125867ffee89e8a25d26b3d0n_3202q.exe9070d619125867ffee89e8a25d26b3d0n_3202.exe9070d619125867ffee89e8a25d26b3d0n_3202u.exe9070d619125867ffee89e8a25d26b3d0n_3202v.exe9070d619125867ffee89e8a25d26b3d0n_3202b.exe9070d619125867ffee89e8a25d26b3d0n_3202n.exe9070d619125867ffee89e8a25d26b3d0n_3202y.exe9070d619125867ffee89e8a25d26b3d0n_3202d.exe9070d619125867ffee89e8a25d26b3d0n_3202m.exe9070d619125867ffee89e8a25d26b3d0n_3202o.exe9070d619125867ffee89e8a25d26b3d0n_3202k.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = be8784ebd86a8d78	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	9070d619125867ffee89e8a25d26b3d0n_3202f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2656 wrote to memory of 2788	2656	9070d619125867ffee89e8a25d26b3d0N.exe	9070d619125867ffee89e8a25d26b3d0n_3202.exe
PID 2656 wrote to memory of 2788	2656	9070d619125867ffee89e8a25d26b3d0N.exe	9070d619125867ffee89e8a25d26b3d0n_3202.exe
PID 2656 wrote to memory of 2788	2656	9070d619125867ffee89e8a25d26b3d0N.exe	9070d619125867ffee89e8a25d26b3d0n_3202.exe
PID 2656 wrote to memory of 2788	2656	9070d619125867ffee89e8a25d26b3d0N.exe	9070d619125867ffee89e8a25d26b3d0n_3202.exe
PID 2788 wrote to memory of 2848	2788	9070d619125867ffee89e8a25d26b3d0n_3202.exe	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
PID 2788 wrote to memory of 2848	2788	9070d619125867ffee89e8a25d26b3d0n_3202.exe	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
PID 2788 wrote to memory of 2848	2788	9070d619125867ffee89e8a25d26b3d0n_3202.exe	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
PID 2788 wrote to memory of 2848	2788	9070d619125867ffee89e8a25d26b3d0n_3202.exe	9070d619125867ffee89e8a25d26b3d0n_3202a.exe
PID 2848 wrote to memory of 2816	2848	9070d619125867ffee89e8a25d26b3d0n_3202a.exe	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
PID 2848 wrote to memory of 2816	2848	9070d619125867ffee89e8a25d26b3d0n_3202a.exe	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
PID 2848 wrote to memory of 2816	2848	9070d619125867ffee89e8a25d26b3d0n_3202a.exe	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
PID 2848 wrote to memory of 2816	2848	9070d619125867ffee89e8a25d26b3d0n_3202a.exe	9070d619125867ffee89e8a25d26b3d0n_3202b.exe
PID 2816 wrote to memory of 3016	2816	9070d619125867ffee89e8a25d26b3d0n_3202b.exe	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
PID 2816 wrote to memory of 3016	2816	9070d619125867ffee89e8a25d26b3d0n_3202b.exe	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
PID 2816 wrote to memory of 3016	2816	9070d619125867ffee89e8a25d26b3d0n_3202b.exe	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
PID 2816 wrote to memory of 3016	2816	9070d619125867ffee89e8a25d26b3d0n_3202b.exe	9070d619125867ffee89e8a25d26b3d0n_3202c.exe
PID 3016 wrote to memory of 1444	3016	9070d619125867ffee89e8a25d26b3d0n_3202c.exe	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
PID 3016 wrote to memory of 1444	3016	9070d619125867ffee89e8a25d26b3d0n_3202c.exe	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
PID 3016 wrote to memory of 1444	3016	9070d619125867ffee89e8a25d26b3d0n_3202c.exe	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
PID 3016 wrote to memory of 1444	3016	9070d619125867ffee89e8a25d26b3d0n_3202c.exe	9070d619125867ffee89e8a25d26b3d0n_3202d.exe
PID 1444 wrote to memory of 1744	1444	9070d619125867ffee89e8a25d26b3d0n_3202d.exe	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
PID 1444 wrote to memory of 1744	1444	9070d619125867ffee89e8a25d26b3d0n_3202d.exe	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
PID 1444 wrote to memory of 1744	1444	9070d619125867ffee89e8a25d26b3d0n_3202d.exe	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
PID 1444 wrote to memory of 1744	1444	9070d619125867ffee89e8a25d26b3d0n_3202d.exe	9070d619125867ffee89e8a25d26b3d0n_3202e.exe
PID 1744 wrote to memory of 2100	1744	9070d619125867ffee89e8a25d26b3d0n_3202e.exe	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
PID 1744 wrote to memory of 2100	1744	9070d619125867ffee89e8a25d26b3d0n_3202e.exe	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
PID 1744 wrote to memory of 2100	1744	9070d619125867ffee89e8a25d26b3d0n_3202e.exe	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
PID 1744 wrote to memory of 2100	1744	9070d619125867ffee89e8a25d26b3d0n_3202e.exe	9070d619125867ffee89e8a25d26b3d0n_3202f.exe
PID 2100 wrote to memory of 1964	2100	9070d619125867ffee89e8a25d26b3d0n_3202f.exe	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
PID 2100 wrote to memory of 1964	2100	9070d619125867ffee89e8a25d26b3d0n_3202f.exe	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
PID 2100 wrote to memory of 1964	2100	9070d619125867ffee89e8a25d26b3d0n_3202f.exe	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
PID 2100 wrote to memory of 1964	2100	9070d619125867ffee89e8a25d26b3d0n_3202f.exe	9070d619125867ffee89e8a25d26b3d0n_3202g.exe
PID 1964 wrote to memory of 484	1964	9070d619125867ffee89e8a25d26b3d0n_3202g.exe	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
PID 1964 wrote to memory of 484	1964	9070d619125867ffee89e8a25d26b3d0n_3202g.exe	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
PID 1964 wrote to memory of 484	1964	9070d619125867ffee89e8a25d26b3d0n_3202g.exe	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
PID 1964 wrote to memory of 484	1964	9070d619125867ffee89e8a25d26b3d0n_3202g.exe	9070d619125867ffee89e8a25d26b3d0n_3202h.exe
PID 484 wrote to memory of 2988	484	9070d619125867ffee89e8a25d26b3d0n_3202h.exe	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
PID 484 wrote to memory of 2988	484	9070d619125867ffee89e8a25d26b3d0n_3202h.exe	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
PID 484 wrote to memory of 2988	484	9070d619125867ffee89e8a25d26b3d0n_3202h.exe	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
PID 484 wrote to memory of 2988	484	9070d619125867ffee89e8a25d26b3d0n_3202h.exe	9070d619125867ffee89e8a25d26b3d0n_3202i.exe
PID 2988 wrote to memory of 1020	2988	9070d619125867ffee89e8a25d26b3d0n_3202i.exe	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
PID 2988 wrote to memory of 1020	2988	9070d619125867ffee89e8a25d26b3d0n_3202i.exe	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
PID 2988 wrote to memory of 1020	2988	9070d619125867ffee89e8a25d26b3d0n_3202i.exe	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
PID 2988 wrote to memory of 1020	2988	9070d619125867ffee89e8a25d26b3d0n_3202i.exe	9070d619125867ffee89e8a25d26b3d0n_3202j.exe
PID 1020 wrote to memory of 2192	1020	9070d619125867ffee89e8a25d26b3d0n_3202j.exe	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
PID 1020 wrote to memory of 2192	1020	9070d619125867ffee89e8a25d26b3d0n_3202j.exe	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
PID 1020 wrote to memory of 2192	1020	9070d619125867ffee89e8a25d26b3d0n_3202j.exe	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
PID 1020 wrote to memory of 2192	1020	9070d619125867ffee89e8a25d26b3d0n_3202j.exe	9070d619125867ffee89e8a25d26b3d0n_3202k.exe
PID 2192 wrote to memory of 2292	2192	9070d619125867ffee89e8a25d26b3d0n_3202k.exe	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
PID 2192 wrote to memory of 2292	2192	9070d619125867ffee89e8a25d26b3d0n_3202k.exe	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
PID 2192 wrote to memory of 2292	2192	9070d619125867ffee89e8a25d26b3d0n_3202k.exe	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
PID 2192 wrote to memory of 2292	2192	9070d619125867ffee89e8a25d26b3d0n_3202k.exe	9070d619125867ffee89e8a25d26b3d0n_3202l.exe
PID 2292 wrote to memory of 2136	2292	9070d619125867ffee89e8a25d26b3d0n_3202l.exe	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
PID 2292 wrote to memory of 2136	2292	9070d619125867ffee89e8a25d26b3d0n_3202l.exe	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
PID 2292 wrote to memory of 2136	2292	9070d619125867ffee89e8a25d26b3d0n_3202l.exe	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
PID 2292 wrote to memory of 2136	2292	9070d619125867ffee89e8a25d26b3d0n_3202l.exe	9070d619125867ffee89e8a25d26b3d0n_3202m.exe
PID 2136 wrote to memory of 1836	2136	9070d619125867ffee89e8a25d26b3d0n_3202m.exe	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
PID 2136 wrote to memory of 1836	2136	9070d619125867ffee89e8a25d26b3d0n_3202m.exe	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
PID 2136 wrote to memory of 1836	2136	9070d619125867ffee89e8a25d26b3d0n_3202m.exe	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
PID 2136 wrote to memory of 1836	2136	9070d619125867ffee89e8a25d26b3d0n_3202m.exe	9070d619125867ffee89e8a25d26b3d0n_3202n.exe
PID 1836 wrote to memory of 1568	1836	9070d619125867ffee89e8a25d26b3d0n_3202n.exe	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
PID 1836 wrote to memory of 1568	1836	9070d619125867ffee89e8a25d26b3d0n_3202n.exe	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
PID 1836 wrote to memory of 1568	1836	9070d619125867ffee89e8a25d26b3d0n_3202n.exe	9070d619125867ffee89e8a25d26b3d0n_3202o.exe
PID 1836 wrote to memory of 1568	1836	9070d619125867ffee89e8a25d26b3d0n_3202n.exe	9070d619125867ffee89e8a25d26b3d0n_3202o.exe

C:\Users\Admin\AppData\Local\Temp\9070d619125867ffee89e8a25d26b3d0N.exe
"C:\Users\Admin\AppData\Local\Temp\9070d619125867ffee89e8a25d26b3d0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202a.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202a.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202b.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202b.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202c.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202c.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202d.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202d.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202e.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202e.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202f.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202f.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202g.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202g.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202h.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202h.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:484

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202i.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202i.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202j.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202j.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202k.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202k.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202l.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202l.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202m.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202m.exe
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202n.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202n.exe
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1836

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202o.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202o.exe
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1568

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202p.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202p.exe
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:992

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202q.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202q.exe
19⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1700

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202r.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202r.exe
20⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2488

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202s.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202s.exe
21⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2304

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202t.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202t.exe
22⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202u.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202u.exe
23⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2308

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202v.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202v.exe
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1936

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202w.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202w.exe
25⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202x.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202x.exe
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2716

\??\c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202y.exe
c:\users\admin\appdata\local\temp\9070d619125867ffee89e8a25d26b3d0n_3202y.exe
27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9070d619125867ffee89e8a25d26b3d0n_3202.exe

Filesize
359KB

MD5
bc74d6ca02abc3dd315ece3e9a41e32f

SHA1
9cfaaa90ec8cf04df832f807429fda2837039770

SHA256
e0c024ba085068c680d542bec067553b6a52db178a139c020da405ac2c01a492

SHA512
ebfecf24257c0ebdd64262caa99ea8793afd82d5a2ac9c8c9dbe029d7782c4c8ad718f62bb8fdf50706f27f74f8a67a7de3af22721a02d7288d13d55d9747951

Download Submit
C:\Users\Admin\AppData\Local\Temp\9070d619125867ffee89e8a25d26b3d0n_3202d.exe

Filesize
359KB

MD5
cd1b35adccd65269ac0c94438bd5d991

SHA1
2410f7f33c310ec061d29694e6d48149c056986d

SHA256
e8b8c1ffaf3f91ca1337bc9e337aa18530b1a850c081892a4a74e8a28057053a

SHA512
584fb1b1888adcdf51ab6564ac6898c1c803e5eb699856d1ecb19471a232c07f9fa9fa8914a3aa63faee43698709ebdfffb5f4ec61317b53374af951c8b810f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9070d619125867ffee89e8a25d26b3d0n_3202k.exe

Filesize
359KB

MD5
b04a886c4d1c85534a01879c389cd746

SHA1
7aa0eab00cd54aaaeb37593eb3bda069fc916364

SHA256
c1a8d4ca0f8503a6e4a154f5ea8d1f1307b0cebc40577ee549c0feccd9600199

SHA512
bd23c71ef5a46aacb138426465cc623c39c6febe2cb162ab613c4d6f51817a6db5390066652a0c6bc5f77a57cd0a5ac989d30cc973205ffbc9ffe411d149e28e

Download Submit
memory/484-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/484-146-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/992-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/992-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1020-164-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1020-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1444-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1444-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-239-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1568-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1700-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1700-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1744-97-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1744-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1836-237-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-321-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1936-326-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1964-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2100-118-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2100-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2136-217-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/2136-209-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2192-178-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2192-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2292-194-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2292-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-294-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2304-290-0x0000000000370000-0x00000000003AA000-memory.dmp

Filesize
232KB

Download
memory/2308-315-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2436-327-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2436-337-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-278-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2488-283-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2684-349-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2684-350-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2716-338-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2716-348-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2788-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2788-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2816-45-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2848-44-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2848-38-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2848-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2948-295-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2948-305-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2988-148-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2988-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3016-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download