49a96181cf0cab4c89785057d7884dea850ef09ea2b58ccb6536af6a924ffd3f

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5cb55eb127ee63eee10005e79a8d230N.exe
Size

580KB
MD5

f5cb55eb127ee63eee10005e79a8d230
SHA1

8b449435f9adc0a4f41bdc96a6f35da31c216117
SHA256

49a96181cf0cab4c89785057d7884dea850ef09ea2b58ccb6536af6a924ffd3f
SHA512

3a688b87cb1b0a93a56d8f2cee4ffdc645fb12db95398638218b127168d0f16e82baa5bc805f4d0b09e5296f2ce7d3f8aff52f29993260797d7fe2efa65253f2
SSDEEP

6144:phbZ5hMTNFf8LAurlEzAX7orwfSZ4sXUzQIQfVKezcdwgnc7:jtXMzqrllX7EwfEIQtJ

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1248	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
2712	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
2624	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
2792	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
2628	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
3016	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
1856	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
2776	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
768	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
2008	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
1788	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
1200	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
1168	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
968	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
1052	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
2168	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
608	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
1408	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
3008	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
2188	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
1744	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
1140	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
1636	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
2316	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
2292	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
2052	f5cb55eb127ee63eee10005e79a8d230n_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2284	f5cb55eb127ee63eee10005e79a8d230N.exe
2284	f5cb55eb127ee63eee10005e79a8d230N.exe
1248	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
1248	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
2712	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
2712	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
2624	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
2624	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
2792	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
2792	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
2628	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
2628	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
3016	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
3016	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
1856	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
1856	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
2776	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
2776	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
768	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
768	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
2008	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
2008	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
1788	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
1788	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
1200	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
1200	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
1168	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
1168	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
968	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
968	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
1052	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
1052	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
2168	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
2168	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
608	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
608	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
1408	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
1408	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
3008	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
3008	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
2188	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
2188	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
1744	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
1744	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
1140	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
1140	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
1636	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
1636	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
2316	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
2316	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
2292	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
2292	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2284-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0008000000016d90-6.dat	upx
behavioral1/memory/1248-21-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2284-14-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x00080000000174d0-29.dat	upx
behavioral1/memory/1248-28-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2712-43-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0004000000017801-140.dat	upx
behavioral1/memory/768-146-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/3008-269-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1744-291-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2292-339-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2052-345-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2292-344-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2316-333-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1636-323-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1636-313-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1140-312-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1744-301-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2188-290-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/3008-279-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1408-268-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/608-258-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/608-248-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2168-247-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1052-235-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1052-228-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/968-220-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1168-205-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1168-193-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1200-190-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1788-176-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1788-164-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2008-161-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/768-139-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2776-131-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1856-116-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1856-109-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/3016-101-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2628-87-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2628-80-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2792-72-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2624-57-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202y.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202m.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202d.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202e.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202h.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202n.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202c.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202a.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202q.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202.exe\""	f5cb55eb127ee63eee10005e79a8d230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202g.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202u.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202w.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202x.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202f.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202i.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202j.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202t.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202b.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202l.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202o.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202r.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202k.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202p.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202v.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202s.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b0e601940a7f9525	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1248	2284	f5cb55eb127ee63eee10005e79a8d230N.exe	31
PID 2284 wrote to memory of 1248	2284	f5cb55eb127ee63eee10005e79a8d230N.exe	31
PID 2284 wrote to memory of 1248	2284	f5cb55eb127ee63eee10005e79a8d230N.exe	31
PID 2284 wrote to memory of 1248	2284	f5cb55eb127ee63eee10005e79a8d230N.exe	31
PID 1248 wrote to memory of 2712	1248	f5cb55eb127ee63eee10005e79a8d230n_3202.exe	32
PID 1248 wrote to memory of 2712	1248	f5cb55eb127ee63eee10005e79a8d230n_3202.exe	32
PID 1248 wrote to memory of 2712	1248	f5cb55eb127ee63eee10005e79a8d230n_3202.exe	32
PID 1248 wrote to memory of 2712	1248	f5cb55eb127ee63eee10005e79a8d230n_3202.exe	32
PID 2712 wrote to memory of 2624	2712	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe	33
PID 2712 wrote to memory of 2624	2712	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe	33
PID 2712 wrote to memory of 2624	2712	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe	33
PID 2712 wrote to memory of 2624	2712	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe	33
PID 2624 wrote to memory of 2792	2624	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe	34
PID 2624 wrote to memory of 2792	2624	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe	34
PID 2624 wrote to memory of 2792	2624	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe	34
PID 2624 wrote to memory of 2792	2624	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe	34
PID 2792 wrote to memory of 2628	2792	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe	35
PID 2792 wrote to memory of 2628	2792	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe	35
PID 2792 wrote to memory of 2628	2792	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe	35
PID 2792 wrote to memory of 2628	2792	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe	35
PID 2628 wrote to memory of 3016	2628	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe	36
PID 2628 wrote to memory of 3016	2628	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe	36
PID 2628 wrote to memory of 3016	2628	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe	36
PID 2628 wrote to memory of 3016	2628	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe	36
PID 3016 wrote to memory of 1856	3016	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe	37
PID 3016 wrote to memory of 1856	3016	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe	37
PID 3016 wrote to memory of 1856	3016	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe	37
PID 3016 wrote to memory of 1856	3016	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe	37
PID 1856 wrote to memory of 2776	1856	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe	38
PID 1856 wrote to memory of 2776	1856	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe	38
PID 1856 wrote to memory of 2776	1856	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe	38
PID 1856 wrote to memory of 2776	1856	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe	38
PID 2776 wrote to memory of 768	2776	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe	39
PID 2776 wrote to memory of 768	2776	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe	39
PID 2776 wrote to memory of 768	2776	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe	39
PID 2776 wrote to memory of 768	2776	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe	39
PID 768 wrote to memory of 2008	768	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe	40
PID 768 wrote to memory of 2008	768	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe	40
PID 768 wrote to memory of 2008	768	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe	40
PID 768 wrote to memory of 2008	768	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe	40
PID 2008 wrote to memory of 1788	2008	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe	41
PID 2008 wrote to memory of 1788	2008	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe	41
PID 2008 wrote to memory of 1788	2008	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe	41
PID 2008 wrote to memory of 1788	2008	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe	41
PID 1788 wrote to memory of 1200	1788	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe	42
PID 1788 wrote to memory of 1200	1788	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe	42
PID 1788 wrote to memory of 1200	1788	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe	42
PID 1788 wrote to memory of 1200	1788	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe	42
PID 1200 wrote to memory of 1168	1200	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe	43
PID 1200 wrote to memory of 1168	1200	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe	43
PID 1200 wrote to memory of 1168	1200	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe	43
PID 1200 wrote to memory of 1168	1200	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe	43
PID 1168 wrote to memory of 968	1168	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe	44
PID 1168 wrote to memory of 968	1168	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe	44
PID 1168 wrote to memory of 968	1168	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe	44
PID 1168 wrote to memory of 968	1168	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe	44
PID 968 wrote to memory of 1052	968	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe	45
PID 968 wrote to memory of 1052	968	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe	45
PID 968 wrote to memory of 1052	968	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe	45
PID 968 wrote to memory of 1052	968	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe	45
PID 1052 wrote to memory of 2168	1052	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe	46
PID 1052 wrote to memory of 2168	1052	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe	46
PID 1052 wrote to memory of 2168	1052	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe	46
PID 1052 wrote to memory of 2168	1052	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe	46

C:\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230N.exe
"C:\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284
- \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202.exe
  c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1248
- - \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
    c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
      c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2624
    - - \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:608
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230n_3202a.exe

Filesize
580KB

MD5
3b0b628da5bf83782589c1adbfd512c5

SHA1
891b87cbc2a9ad35044856aec938a27630dadd73

SHA256
185482178ab13df4fa0ea103cd124683f4927a079c7a38c15e5514498f8df879

SHA512
281bca7795e7dc93be5358434a189ef7f10734912b09e7a7588c3fa77f214621dbbf22e41ee48de360eec6a82b09cfad1177e3a1deb697b1d66c3e2125b28d30

Download Submit
\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230n_3202.exe

Filesize
580KB

MD5
2c923ab3613fbdec8f9423616b8e9c6d

SHA1
96ad1079502085076b4ac9b71acb44cf39058ec3

SHA256
3958a1041b858e96ff847f8e8a514857634b9a7db57c666111e98b1567d0586f

SHA512
525a71e1ea57e6d5e0ac2026c37980faac7031d59961b5f188f6539c6edd29e16ccb2b7e154e78b676a4ac9933a94461708e950ddc7bafe2c4b87d61d7ead580

Download Submit
\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230n_3202i.exe

Filesize
580KB

MD5
adb043b0dc80c5124524858e0b4fe942

SHA1
67814f3aea2a853bb8d43d533eb8dedf4ef7e20c

SHA256
da4ca9db46314950b3ca51143e52d370f5e24ace707887a410e9ad3039cd7590

SHA512
ada7d159fbca1662c55b6f24efd99023340e6143779806f1a97514372210f1eedfb243388cadbaca8b5e9a6c2cf11f999c0f594dc2b47b0d38bd7e2c38969121

Download Submit
memory/608-258-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/608-248-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/768-146-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/768-139-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/968-220-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/968-215-0x00000000003B0000-0x00000000003EB000-memory.dmp

Filesize
236KB

Download
memory/1052-235-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1052-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1140-312-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1140-308-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/1168-193-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1168-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1200-190-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-28-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1248-21-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1408-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1636-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1636-323-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1744-301-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1744-291-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1788-164-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1788-176-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1856-109-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1856-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2008-156-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/2008-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2052-345-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2168-247-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2188-290-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2188-286-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/2284-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2284-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2284-12-0x00000000003A0000-0x00000000003DB000-memory.dmp

Filesize
236KB

Download
memory/2292-339-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2292-344-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2316-333-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2624-57-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-87-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2712-43-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2712-38-0x00000000002B0000-0x00000000002EB000-memory.dmp

Filesize
236KB

Download
memory/2776-126-0x00000000001B0000-0x00000000001EB000-memory.dmp

Filesize
236KB

Download
memory/2776-131-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2792-72-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2792-67-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/3008-279-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3008-269-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3016-101-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads