49a96181cf0cab4c89785057d7884dea850ef09ea2b58ccb6536af6a924ffd3f

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5cb55eb127ee63eee10005e79a8d230N.exe
Size

580KB
MD5

f5cb55eb127ee63eee10005e79a8d230
SHA1

8b449435f9adc0a4f41bdc96a6f35da31c216117
SHA256

49a96181cf0cab4c89785057d7884dea850ef09ea2b58ccb6536af6a924ffd3f
SHA512

3a688b87cb1b0a93a56d8f2cee4ffdc645fb12db95398638218b127168d0f16e82baa5bc805f4d0b09e5296f2ce7d3f8aff52f29993260797d7fe2efa65253f2
SSDEEP

6144:phbZ5hMTNFf8LAurlEzAX7orwfSZ4sXUzQIQfVKezcdwgnc7:jtXMzqrllX7EwfEIQtJ

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
4428	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
3168	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
1556	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
3652	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
4892	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
4584	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
4380	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
4908	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
1180	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
868	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
4800	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
4956	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
4520	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
5016	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
3140	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
3432	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
1364	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
2608	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
816	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
5088	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
1912	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
4548	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
4856	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
2964	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
4176	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
2664	f5cb55eb127ee63eee10005e79a8d230n_3202y.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4760-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x00090000000234ab-5.dat	upx
behavioral2/memory/4760-7-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4428-17-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3168-27-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1556-35-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3652-43-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4892-52-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x00070000000234b8-61.dat	upx
behavioral2/memory/4584-62-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4908-88-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4380-87-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1180-86-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/868-96-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1180-92-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4908-77-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/868-100-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4800-109-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4520-120-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3140-146-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/5016-145-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3432-166-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1364-165-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/5088-195-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/5088-201-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1912-200-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/816-197-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2608-187-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/816-185-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1364-176-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2608-175-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3140-157-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3432-155-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4520-135-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/5016-136-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4956-126-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1912-208-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-209.dat	upx
behavioral2/memory/4548-217-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4856-228-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2964-236-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4176-245-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2664-247-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202p.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202r.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202g.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202k.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202h.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202f.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202n.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202x.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202d.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202l.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202q.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202v.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202a.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202e.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202j.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202o.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202w.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202b.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202i.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202m.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202s.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202y.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202.exe\""	f5cb55eb127ee63eee10005e79a8d230N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202c.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202t.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\f5cb55eb127ee63eee10005e79a8d230n_3202u.exe\""	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	f5cb55eb127ee63eee10005e79a8d230n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 79295f133917f57a	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4428	4760	f5cb55eb127ee63eee10005e79a8d230N.exe	84
PID 4760 wrote to memory of 4428	4760	f5cb55eb127ee63eee10005e79a8d230N.exe	84
PID 4760 wrote to memory of 4428	4760	f5cb55eb127ee63eee10005e79a8d230N.exe	84
PID 4428 wrote to memory of 3168	4428	f5cb55eb127ee63eee10005e79a8d230n_3202.exe	85
PID 4428 wrote to memory of 3168	4428	f5cb55eb127ee63eee10005e79a8d230n_3202.exe	85
PID 4428 wrote to memory of 3168	4428	f5cb55eb127ee63eee10005e79a8d230n_3202.exe	85
PID 3168 wrote to memory of 1556	3168	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe	86
PID 3168 wrote to memory of 1556	3168	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe	86
PID 3168 wrote to memory of 1556	3168	f5cb55eb127ee63eee10005e79a8d230n_3202a.exe	86
PID 1556 wrote to memory of 3652	1556	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe	87
PID 1556 wrote to memory of 3652	1556	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe	87
PID 1556 wrote to memory of 3652	1556	f5cb55eb127ee63eee10005e79a8d230n_3202b.exe	87
PID 3652 wrote to memory of 4892	3652	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe	88
PID 3652 wrote to memory of 4892	3652	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe	88
PID 3652 wrote to memory of 4892	3652	f5cb55eb127ee63eee10005e79a8d230n_3202c.exe	88
PID 4892 wrote to memory of 4584	4892	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe	89
PID 4892 wrote to memory of 4584	4892	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe	89
PID 4892 wrote to memory of 4584	4892	f5cb55eb127ee63eee10005e79a8d230n_3202d.exe	89
PID 4584 wrote to memory of 4380	4584	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe	91
PID 4584 wrote to memory of 4380	4584	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe	91
PID 4584 wrote to memory of 4380	4584	f5cb55eb127ee63eee10005e79a8d230n_3202e.exe	91
PID 4380 wrote to memory of 4908	4380	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe	93
PID 4380 wrote to memory of 4908	4380	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe	93
PID 4380 wrote to memory of 4908	4380	f5cb55eb127ee63eee10005e79a8d230n_3202f.exe	93
PID 4908 wrote to memory of 1180	4908	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe	94
PID 4908 wrote to memory of 1180	4908	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe	94
PID 4908 wrote to memory of 1180	4908	f5cb55eb127ee63eee10005e79a8d230n_3202g.exe	94
PID 1180 wrote to memory of 868	1180	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe	95
PID 1180 wrote to memory of 868	1180	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe	95
PID 1180 wrote to memory of 868	1180	f5cb55eb127ee63eee10005e79a8d230n_3202h.exe	95
PID 868 wrote to memory of 4800	868	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe	97
PID 868 wrote to memory of 4800	868	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe	97
PID 868 wrote to memory of 4800	868	f5cb55eb127ee63eee10005e79a8d230n_3202i.exe	97
PID 4800 wrote to memory of 4956	4800	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe	98
PID 4800 wrote to memory of 4956	4800	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe	98
PID 4800 wrote to memory of 4956	4800	f5cb55eb127ee63eee10005e79a8d230n_3202j.exe	98
PID 4956 wrote to memory of 4520	4956	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe	99
PID 4956 wrote to memory of 4520	4956	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe	99
PID 4956 wrote to memory of 4520	4956	f5cb55eb127ee63eee10005e79a8d230n_3202k.exe	99
PID 4520 wrote to memory of 5016	4520	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe	100
PID 4520 wrote to memory of 5016	4520	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe	100
PID 4520 wrote to memory of 5016	4520	f5cb55eb127ee63eee10005e79a8d230n_3202l.exe	100
PID 5016 wrote to memory of 3140	5016	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe	101
PID 5016 wrote to memory of 3140	5016	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe	101
PID 5016 wrote to memory of 3140	5016	f5cb55eb127ee63eee10005e79a8d230n_3202m.exe	101
PID 3140 wrote to memory of 3432	3140	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe	102
PID 3140 wrote to memory of 3432	3140	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe	102
PID 3140 wrote to memory of 3432	3140	f5cb55eb127ee63eee10005e79a8d230n_3202n.exe	102
PID 3432 wrote to memory of 1364	3432	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe	103
PID 3432 wrote to memory of 1364	3432	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe	103
PID 3432 wrote to memory of 1364	3432	f5cb55eb127ee63eee10005e79a8d230n_3202o.exe	103
PID 1364 wrote to memory of 2608	1364	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe	104
PID 1364 wrote to memory of 2608	1364	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe	104
PID 1364 wrote to memory of 2608	1364	f5cb55eb127ee63eee10005e79a8d230n_3202p.exe	104
PID 2608 wrote to memory of 816	2608	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe	105
PID 2608 wrote to memory of 816	2608	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe	105
PID 2608 wrote to memory of 816	2608	f5cb55eb127ee63eee10005e79a8d230n_3202q.exe	105
PID 816 wrote to memory of 5088	816	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe	106
PID 816 wrote to memory of 5088	816	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe	106
PID 816 wrote to memory of 5088	816	f5cb55eb127ee63eee10005e79a8d230n_3202r.exe	106
PID 5088 wrote to memory of 1912	5088	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe	107
PID 5088 wrote to memory of 1912	5088	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe	107
PID 5088 wrote to memory of 1912	5088	f5cb55eb127ee63eee10005e79a8d230n_3202s.exe	107
PID 1912 wrote to memory of 4548	1912	f5cb55eb127ee63eee10005e79a8d230n_3202t.exe	108

C:\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230N.exe
"C:\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760
- \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202.exe
  c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4428
- - \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
    c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
      c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1556
    - - \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
        
        \??\c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
        
        c:\users\admin\appdata\local\temp\f5cb55eb127ee63eee10005e79a8d230n_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230n_3202.exe

Filesize
580KB

MD5
2c923ab3613fbdec8f9423616b8e9c6d

SHA1
96ad1079502085076b4ac9b71acb44cf39058ec3

SHA256
3958a1041b858e96ff847f8e8a514857634b9a7db57c666111e98b1567d0586f

SHA512
525a71e1ea57e6d5e0ac2026c37980faac7031d59961b5f188f6539c6edd29e16ccb2b7e154e78b676a4ac9933a94461708e950ddc7bafe2c4b87d61d7ead580

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230n_3202f.exe

Filesize
580KB

MD5
3b0b628da5bf83782589c1adbfd512c5

SHA1
891b87cbc2a9ad35044856aec938a27630dadd73

SHA256
185482178ab13df4fa0ea103cd124683f4927a079c7a38c15e5514498f8df879

SHA512
281bca7795e7dc93be5358434a189ef7f10734912b09e7a7588c3fa77f214621dbbf22e41ee48de360eec6a82b09cfad1177e3a1deb697b1d66c3e2125b28d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5cb55eb127ee63eee10005e79a8d230n_3202u.exe

Filesize
580KB

MD5
adb043b0dc80c5124524858e0b4fe942

SHA1
67814f3aea2a853bb8d43d533eb8dedf4ef7e20c

SHA256
da4ca9db46314950b3ca51143e52d370f5e24ace707887a410e9ad3039cd7590

SHA512
ada7d159fbca1662c55b6f24efd99023340e6143779806f1a97514372210f1eedfb243388cadbaca8b5e9a6c2cf11f999c0f594dc2b47b0d38bd7e2c38969121

Download Submit
memory/816-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/816-185-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/868-100-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/868-96-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1180-86-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1180-92-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1364-165-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1364-176-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1556-35-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1912-208-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1912-200-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2608-187-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2608-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2664-247-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2964-236-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3140-146-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3140-157-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3168-27-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3432-166-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3432-155-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3652-43-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4176-245-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4380-87-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4428-17-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4520-120-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4520-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4548-217-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4584-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4760-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4760-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4800-109-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4856-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4892-52-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4908-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4908-77-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4956-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5016-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5016-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5088-201-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5088-195-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads