5baf23b2959ca72f381e0fcfcfac837d8e7230fa4288e3163cdc5a99189cd2cd

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e4e30d5b2300d4ee00f15322e025470N.exe
Size

400KB
MD5

7e4e30d5b2300d4ee00f15322e025470
SHA1

8d583d59d4dbf4517e2a22ae2a7dc13e0c414f04
SHA256

5baf23b2959ca72f381e0fcfcfac837d8e7230fa4288e3163cdc5a99189cd2cd
SHA512

e7f9eedc3b11c84445339164e782209dc685decbf12c8d238c297fc6c277ae6059eb48286f27dadfb8e545dbb39d275bff3c881c5968ac6ab9066b924f116109
SSDEEP

6144:wt5xoNthj0I2aR1zmYiHXwfSZ4sXAFHh:aTst31zji3wl

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1464	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
2288	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
1776	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
2796	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
3028	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
2608	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
2580	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
744	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
272	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
2928	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
2000	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
1956	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
1848	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
820	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
2100	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
2008	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
1556	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
2464	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
1500	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
396	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
800	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
888	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
1968	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
2156	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
2200	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
2192	7e4e30d5b2300d4ee00f15322e025470n_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
1620	7e4e30d5b2300d4ee00f15322e025470N.exe
1620	7e4e30d5b2300d4ee00f15322e025470N.exe
1464	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
1464	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
2288	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
2288	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
1776	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
1776	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
2796	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
2796	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
3028	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
3028	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
2608	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
2608	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
2580	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
2580	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
744	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
744	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
272	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
272	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
2928	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
2928	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
2000	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
2000	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
1956	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
1956	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
1848	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
1848	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
820	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
820	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
2100	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
2100	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
2008	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
2008	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
1556	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
1556	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
2464	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
2464	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
1500	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
1500	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
396	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
396	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
800	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
800	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
888	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
888	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
1968	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
1968	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
2156	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
2156	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
2200	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
2200	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202s.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202y.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202p.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202w.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202e.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202h.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202i.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202t.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202x.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202b.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202m.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202j.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202n.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202o.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202q.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202c.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202k.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202v.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202f.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202d.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202g.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202u.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202a.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202l.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202r.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202.exe\""	7e4e30d5b2300d4ee00f15322e025470N.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 1876905595bd01b9	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1464	1620	7e4e30d5b2300d4ee00f15322e025470N.exe	30
PID 1620 wrote to memory of 1464	1620	7e4e30d5b2300d4ee00f15322e025470N.exe	30
PID 1620 wrote to memory of 1464	1620	7e4e30d5b2300d4ee00f15322e025470N.exe	30
PID 1620 wrote to memory of 1464	1620	7e4e30d5b2300d4ee00f15322e025470N.exe	30
PID 1464 wrote to memory of 2288	1464	7e4e30d5b2300d4ee00f15322e025470n_3202.exe	31
PID 1464 wrote to memory of 2288	1464	7e4e30d5b2300d4ee00f15322e025470n_3202.exe	31
PID 1464 wrote to memory of 2288	1464	7e4e30d5b2300d4ee00f15322e025470n_3202.exe	31
PID 1464 wrote to memory of 2288	1464	7e4e30d5b2300d4ee00f15322e025470n_3202.exe	31
PID 2288 wrote to memory of 1776	2288	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe	32
PID 2288 wrote to memory of 1776	2288	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe	32
PID 2288 wrote to memory of 1776	2288	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe	32
PID 2288 wrote to memory of 1776	2288	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe	32
PID 1776 wrote to memory of 2796	1776	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe	33
PID 1776 wrote to memory of 2796	1776	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe	33
PID 1776 wrote to memory of 2796	1776	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe	33
PID 1776 wrote to memory of 2796	1776	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe	33
PID 2796 wrote to memory of 3028	2796	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe	34
PID 2796 wrote to memory of 3028	2796	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe	34
PID 2796 wrote to memory of 3028	2796	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe	34
PID 2796 wrote to memory of 3028	2796	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe	34
PID 3028 wrote to memory of 2608	3028	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe	35
PID 3028 wrote to memory of 2608	3028	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe	35
PID 3028 wrote to memory of 2608	3028	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe	35
PID 3028 wrote to memory of 2608	3028	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe	35
PID 2608 wrote to memory of 2580	2608	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe	36
PID 2608 wrote to memory of 2580	2608	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe	36
PID 2608 wrote to memory of 2580	2608	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe	36
PID 2608 wrote to memory of 2580	2608	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe	36
PID 2580 wrote to memory of 744	2580	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe	37
PID 2580 wrote to memory of 744	2580	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe	37
PID 2580 wrote to memory of 744	2580	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe	37
PID 2580 wrote to memory of 744	2580	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe	37
PID 744 wrote to memory of 272	744	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe	38
PID 744 wrote to memory of 272	744	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe	38
PID 744 wrote to memory of 272	744	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe	38
PID 744 wrote to memory of 272	744	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe	38
PID 272 wrote to memory of 2928	272	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe	39
PID 272 wrote to memory of 2928	272	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe	39
PID 272 wrote to memory of 2928	272	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe	39
PID 272 wrote to memory of 2928	272	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe	39
PID 2928 wrote to memory of 2000	2928	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe	40
PID 2928 wrote to memory of 2000	2928	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe	40
PID 2928 wrote to memory of 2000	2928	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe	40
PID 2928 wrote to memory of 2000	2928	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe	40
PID 2000 wrote to memory of 1956	2000	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe	41
PID 2000 wrote to memory of 1956	2000	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe	41
PID 2000 wrote to memory of 1956	2000	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe	41
PID 2000 wrote to memory of 1956	2000	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe	41
PID 1956 wrote to memory of 1848	1956	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe	42
PID 1956 wrote to memory of 1848	1956	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe	42
PID 1956 wrote to memory of 1848	1956	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe	42
PID 1956 wrote to memory of 1848	1956	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe	42
PID 1848 wrote to memory of 820	1848	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe	43
PID 1848 wrote to memory of 820	1848	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe	43
PID 1848 wrote to memory of 820	1848	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe	43
PID 1848 wrote to memory of 820	1848	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe	43
PID 820 wrote to memory of 2100	820	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe	44
PID 820 wrote to memory of 2100	820	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe	44
PID 820 wrote to memory of 2100	820	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe	44
PID 820 wrote to memory of 2100	820	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe	44
PID 2100 wrote to memory of 2008	2100	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe	45
PID 2100 wrote to memory of 2008	2100	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe	45
PID 2100 wrote to memory of 2008	2100	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe	45
PID 2100 wrote to memory of 2008	2100	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe	45

C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470N.exe
"C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620
- \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202.exe
  c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1464
- - \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
    c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
      c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1776
    - - \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:396
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:800
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:888
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202.exe

Filesize
400KB

MD5
7937033671c83c00e0fe814bd99745e3

SHA1
541dafe36e0452d5f39b2bf4398a562cde78d1a7

SHA256
1e1db0b64bab8c67287300838cabff598d9bee9c1b43c5e10b7e3c1b2735977d

SHA512
2cf0f059e1d87e73d92a97811be8a2f68c043edaaa9cc8bf3b2d6d20e9a829ada3f5fa087928961a3f3d62635533cfb73711182064daa58b5d531a60186c1d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202j.exe

Filesize
400KB

MD5
ecd84bbbf5e147ce6534e39bb2a5ace8

SHA1
cd349b9bd61076a199bf5c2e6dc8f809a806524c

SHA256
0d66e21d3618e8b3ac93be32f89fe81fad5d37cb974bd09a271337b0d0269541

SHA512
0a565f0eb72c30faef9d7e0e7775399c6dab9d0e58f523542d9fdb94013c4e87ff67195e6e3054142620c4b4e13964326ff4d4caf23c61872c8952cbe08c96fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202n.exe

Filesize
400KB

MD5
8d717717b8d233774a130e92ba683cc3

SHA1
354778a56801df439f3d1fb578e2b2ca68e8273a

SHA256
2b34e93e1f8f808312a468757ca4cb8fe641ea05c3a0357c4e7cf55b355cec91

SHA512
804b2eb855a18a2d9fb8d61d06b63fb4e53e26cb29f42cc7d8e717798d2ff38ca9f67d95998fc69e46b353b2b46be4381916bc6dc5ac09cc23f74ce4bfde8bb7

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202a.exe

Filesize
400KB

MD5
cc5af1f9f9af62db784eca526f481b5c

SHA1
b55f7fc6af0975fbb99f951ab0c843b72aeb2c81

SHA256
82c8938a5bca27a6370f872efef0f542c4a6c80eba722d82897674a967f5410c

SHA512
c2ea5af35e217a650ccb0ef20720228daf8d7de0bc0c634567a237b56224b54070620c4482c89ae0c46028adae5953a7b677337ead02e2bc797cb1440853f81d

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202b.exe

Filesize
400KB

MD5
dc9a5fdb14a1092aac132d8f48669518

SHA1
34f30ae6ad6ec149e13a1aac7396b7ad377195d8

SHA256
98648e77f0b5c30303997427cfc1ede4f3ad0d26610d84d41b1b4194fa786ef9

SHA512
9fafd1dc91bba3f2bd0309a26652c114fb10ff43c3e2b4a935fb3532812cb805c31bf68e704e31580f355513e2a2c70c37c43faa8f5732a5770ab305c63e5cff

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202c.exe

Filesize
400KB

MD5
a9086c9c8c769228d2f2c2bb2ecc1ff8

SHA1
fb5fe2fbad19c26c6cd03c6bacaa955e5a1b191d

SHA256
9910b5e6fb7cc841b2735c70ceb7b42c4a21658699ae290df9bf1db05c41bb40

SHA512
481fd6fe115c55177fac030fd972785eb949a008309b8c22d232eaa44371ff92adfb64d945ad3c1efd8dcbcdd0cfd02a6fea6d4cdcac4225db048f33e971ca49

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202d.exe

Filesize
400KB

MD5
9697d36934dfc7f7476a9170dc008f84

SHA1
65cf9e0398952bf16f2067b1b1c412e60056cf1c

SHA256
2ceb9c1e62b3b381bd3a0fefe322f7b2cfec4dd4bad5c306ade8631ff0cf0cef

SHA512
9bcf12b845aee97bd07281249a76b37eff81b1e634581f28e52fbb491b697324318b1845ff6942d3aff45ea1d685414b4aa2378b8c29d8711fbe39185de8f8ca

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202e.exe

Filesize
400KB

MD5
3fd37bb82e92ff190e5d4f819f213c91

SHA1
5fa2187551accadcc4a4637e30266fca554f6a0a

SHA256
02e1bd8ac75b6bb37c4c642ef62c127437a6ef299858f44113108ff5d504abdd

SHA512
7cef129075e5fc25bc8dfb8f5bc2aaac4048c217d8423a165439fdd48b282bfc78b666281aca15a7fd0ab3b11ded3e0c5016238c11dc696ab5679f3cbf8133f1

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202f.exe

Filesize
400KB

MD5
90a7e4b27d4f8dd75ee17a41447e18e2

SHA1
26c680aaad07d9c056aba89177cdc8bae51b9e3e

SHA256
f1d5dd2d46cbbf41e58f73afcde5cabf03362c198bcb6713150071aa7816bd92

SHA512
d18a526379a201f3855a33324c3686cc946c556638a116aa17b9460d9d9a6d4dd6455be7236d0a46344d27ef93f975e4286f1ce5e75f48ef224934412e5bdc2f

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202g.exe

Filesize
400KB

MD5
4707be3738ae9234a24b998300cd7b53

SHA1
a0e978f6e42e8440475f7432bba0eeb6778ccac8

SHA256
055370c5556149dea62a25684abb870a8afd5a008b7fc0d69ab82b38fdcfc0f0

SHA512
af478b42659e5f8ef899bb6f9ab8d4a99f7abb03b45f26b608d3d2bde7104e5543aa01feeaa8dd3b131aa08a1c8cd7311bea18632a5b85c159aec040ec903868

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202h.exe

Filesize
400KB

MD5
78b4975faef557b75c16644760bd67c2

SHA1
ab89a01f6aa07ef5e14c2363eeebd7c69297eba3

SHA256
fecb6d062b2c9572ded74cbbeadd794e9b2de2cdd96ece5e377215d6751d7d18

SHA512
bc8eaa756d3827e068680b0f9773630bbb2e509eb758cc4e87caf65cbc60e8e27847debe9c3a42dcd2c8e678c778a4b5c39e33e78628fa92fd430ffdeadee103

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202i.exe

Filesize
400KB

MD5
d90e98f38220e70f010b88cba049ad02

SHA1
a12fdcf303be78ce631e24b7703c6aadc1f87e5a

SHA256
25173bdfeb0d1e0f2913593240521ec4dad182b66f41836d5217535d0743e43e

SHA512
16eef58ea936fa6e785c2f40eb3f7f6ea7cb0d61e10a722021edb5af10af59472b2512229baa64f9f9e52574d31f4fbba77e6507acb4e40e64e2e2b8d8103c36

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202k.exe

Filesize
400KB

MD5
66839c5896d0a71e70305b4b89efe09b

SHA1
389e4c3ac40390d187d32e444f0dc38a62107734

SHA256
7279deccb9dc8b7d8633687e1cca74ac778b3485ea076c854af4b191c2703edb

SHA512
c7b62fcfdf6135860ebe69bfa40affa67b4b0f7d897fc4d05e3369b6a05ed01c0681fed69a6f734a7abc8ea8e16a08c93005f2afde56d67450da69b98d248c9f

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202l.exe

Filesize
400KB

MD5
68a54e43d787a254b2c9a050e9a9b1c4

SHA1
ffb12e5700de4a2898d5ea05a50ae5f8b59fce7f

SHA256
652c40e41d1b7ee8baaa36828950b17435d5bb4d8f39ea953d9ed39d15d199e8

SHA512
63337ab41a90f04a597be1c432105adc31201de04826f4308279c37331e07ba7ec2a72715aa87366a64b9da8bd7a9fa82e7f7bba0cd75921145d111fd7fa474a

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202m.exe

Filesize
400KB

MD5
0130e26c1515bbe817029fc572649ad9

SHA1
32fabe095977c5d86cb9682013e3fdee85d14cb7

SHA256
acd6f2bccbba9d83fcb43c0c7c6fea49de34f31203333d214de00beaf761a5e2

SHA512
b138998492f90546352aefa658fc57040427eb2aca0bb8adc53c24d765874c9e1d91bbe3891362017826ad452a819396098ae3847241a76df0cb35a682530c72

Download Submit
\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202o.exe

Filesize
401KB

MD5
21a8f3d7032af67356799ceef8073072

SHA1
9d49b095d6e3f4b742f6c97ef0b171372778eddd

SHA256
c89c4337ccf32145f2af921786b68c92b26fa295bd5187cf26203d480e1b1791

SHA512
797b9c74f581b29e30795e0ac7545cfb06e8c3d2ffe5f274485b4544ed01b1cd9c2db53192ffc64098c2f3485be881cbe9c38b9924da944afe15253946739e9c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads