5baf23b2959ca72f381e0fcfcfac837d8e7230fa4288e3163cdc5a99189cd2cd

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e4e30d5b2300d4ee00f15322e025470N.exe
Size

400KB
MD5

7e4e30d5b2300d4ee00f15322e025470
SHA1

8d583d59d4dbf4517e2a22ae2a7dc13e0c414f04
SHA256

5baf23b2959ca72f381e0fcfcfac837d8e7230fa4288e3163cdc5a99189cd2cd
SHA512

e7f9eedc3b11c84445339164e782209dc685decbf12c8d238c297fc6c277ae6059eb48286f27dadfb8e545dbb39d275bff3c881c5968ac6ab9066b924f116109
SSDEEP

6144:wt5xoNthj0I2aR1zmYiHXwfSZ4sXAFHh:aTst31zji3wl

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
400	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
2724	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
3600	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
1000	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
2264	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
212	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
2568	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
1100	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
4108	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
3856	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
3120	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
4144	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
4956	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
5040	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
2720	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
3844	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
2896	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
1784	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
3372	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
4372	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
2988	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
3084	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
2524	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
3592	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
4332	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
336	7e4e30d5b2300d4ee00f15322e025470n_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202h.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202i.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202j.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202l.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202p.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202.exe\""	7e4e30d5b2300d4ee00f15322e025470N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202w.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202x.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202y.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202k.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202b.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202c.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202e.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202f.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202m.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202o.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202t.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202r.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202g.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202n.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202q.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202u.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202s.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202a.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202d.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\7e4e30d5b2300d4ee00f15322e025470n_3202v.exe\""	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = de439ef0d1581364	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 400	4244	7e4e30d5b2300d4ee00f15322e025470N.exe	84
PID 4244 wrote to memory of 400	4244	7e4e30d5b2300d4ee00f15322e025470N.exe	84
PID 4244 wrote to memory of 400	4244	7e4e30d5b2300d4ee00f15322e025470N.exe	84
PID 400 wrote to memory of 2724	400	7e4e30d5b2300d4ee00f15322e025470n_3202.exe	85
PID 400 wrote to memory of 2724	400	7e4e30d5b2300d4ee00f15322e025470n_3202.exe	85
PID 400 wrote to memory of 2724	400	7e4e30d5b2300d4ee00f15322e025470n_3202.exe	85
PID 2724 wrote to memory of 3600	2724	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe	86
PID 2724 wrote to memory of 3600	2724	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe	86
PID 2724 wrote to memory of 3600	2724	7e4e30d5b2300d4ee00f15322e025470n_3202a.exe	86
PID 3600 wrote to memory of 1000	3600	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe	87
PID 3600 wrote to memory of 1000	3600	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe	87
PID 3600 wrote to memory of 1000	3600	7e4e30d5b2300d4ee00f15322e025470n_3202b.exe	87
PID 1000 wrote to memory of 2264	1000	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe	88
PID 1000 wrote to memory of 2264	1000	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe	88
PID 1000 wrote to memory of 2264	1000	7e4e30d5b2300d4ee00f15322e025470n_3202c.exe	88
PID 2264 wrote to memory of 212	2264	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe	89
PID 2264 wrote to memory of 212	2264	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe	89
PID 2264 wrote to memory of 212	2264	7e4e30d5b2300d4ee00f15322e025470n_3202d.exe	89
PID 212 wrote to memory of 2568	212	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe	91
PID 212 wrote to memory of 2568	212	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe	91
PID 212 wrote to memory of 2568	212	7e4e30d5b2300d4ee00f15322e025470n_3202e.exe	91
PID 2568 wrote to memory of 1100	2568	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe	92
PID 2568 wrote to memory of 1100	2568	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe	92
PID 2568 wrote to memory of 1100	2568	7e4e30d5b2300d4ee00f15322e025470n_3202f.exe	92
PID 1100 wrote to memory of 4108	1100	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe	94
PID 1100 wrote to memory of 4108	1100	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe	94
PID 1100 wrote to memory of 4108	1100	7e4e30d5b2300d4ee00f15322e025470n_3202g.exe	94
PID 4108 wrote to memory of 3856	4108	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe	95
PID 4108 wrote to memory of 3856	4108	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe	95
PID 4108 wrote to memory of 3856	4108	7e4e30d5b2300d4ee00f15322e025470n_3202h.exe	95
PID 3856 wrote to memory of 3120	3856	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe	96
PID 3856 wrote to memory of 3120	3856	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe	96
PID 3856 wrote to memory of 3120	3856	7e4e30d5b2300d4ee00f15322e025470n_3202i.exe	96
PID 3120 wrote to memory of 4144	3120	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe	97
PID 3120 wrote to memory of 4144	3120	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe	97
PID 3120 wrote to memory of 4144	3120	7e4e30d5b2300d4ee00f15322e025470n_3202j.exe	97
PID 4144 wrote to memory of 4956	4144	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe	99
PID 4144 wrote to memory of 4956	4144	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe	99
PID 4144 wrote to memory of 4956	4144	7e4e30d5b2300d4ee00f15322e025470n_3202k.exe	99
PID 4956 wrote to memory of 5040	4956	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe	100
PID 4956 wrote to memory of 5040	4956	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe	100
PID 4956 wrote to memory of 5040	4956	7e4e30d5b2300d4ee00f15322e025470n_3202l.exe	100
PID 5040 wrote to memory of 2720	5040	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe	101
PID 5040 wrote to memory of 2720	5040	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe	101
PID 5040 wrote to memory of 2720	5040	7e4e30d5b2300d4ee00f15322e025470n_3202m.exe	101
PID 2720 wrote to memory of 3844	2720	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe	102
PID 2720 wrote to memory of 3844	2720	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe	102
PID 2720 wrote to memory of 3844	2720	7e4e30d5b2300d4ee00f15322e025470n_3202n.exe	102
PID 3844 wrote to memory of 2896	3844	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe	103
PID 3844 wrote to memory of 2896	3844	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe	103
PID 3844 wrote to memory of 2896	3844	7e4e30d5b2300d4ee00f15322e025470n_3202o.exe	103
PID 2896 wrote to memory of 1784	2896	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe	104
PID 2896 wrote to memory of 1784	2896	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe	104
PID 2896 wrote to memory of 1784	2896	7e4e30d5b2300d4ee00f15322e025470n_3202p.exe	104
PID 1784 wrote to memory of 3372	1784	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe	105
PID 1784 wrote to memory of 3372	1784	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe	105
PID 1784 wrote to memory of 3372	1784	7e4e30d5b2300d4ee00f15322e025470n_3202q.exe	105
PID 3372 wrote to memory of 4372	3372	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe	106
PID 3372 wrote to memory of 4372	3372	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe	106
PID 3372 wrote to memory of 4372	3372	7e4e30d5b2300d4ee00f15322e025470n_3202r.exe	106
PID 4372 wrote to memory of 2988	4372	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe	107
PID 4372 wrote to memory of 2988	4372	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe	107
PID 4372 wrote to memory of 2988	4372	7e4e30d5b2300d4ee00f15322e025470n_3202s.exe	107
PID 2988 wrote to memory of 3084	2988	7e4e30d5b2300d4ee00f15322e025470n_3202t.exe	108

C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470N.exe
"C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244
- \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202.exe
  c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:400
- - \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
    c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
      c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3600
    - - \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3084
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3592
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        \??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
        
        c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202.exe

Filesize
400KB

MD5
6955f822ef76c1f5325e0e9e129e0594

SHA1
34a5cc1b29e4fabab29a0b15a670ea4dfa791413

SHA256
80c6e4d1af9e72a4206a748bee9cf83a2e76133b8a66f5656a6d74f9749ff268

SHA512
7016565226146cb108290041a8879d47f5e41decce8442cedf71226961cf0aff533a9dd78ec250fd1d13696455af6339d3dfc78efe3f50551c08bfcfec1a1734

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202a.exe

Filesize
400KB

MD5
27ad8790a1d03d348a13564cc45bbf11

SHA1
756f6eb14a9004e7b06e754e4c4ebafb0f135036

SHA256
2a2569255cbdb61a367bb53f1cf8ca688bb4a22826e34308406af3db7532cd1e

SHA512
f3206020d90a5c5cc722ef88fe32f177da8eb60863470811631f3d6322439b32ebf458652c4f3a4a79e4f5ac38c39483623a53097e54a0ca54e75d9ca6807ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202b.exe

Filesize
400KB

MD5
c86bc3599c1e263a720f18470b3c3b97

SHA1
8514571f67eb0459f890d84feafb6be30a00ef7c

SHA256
393effdd5fd7cc22f8ce259e10373c48c3e5dfaf9ad04334dc3ea6a52f68fc36

SHA512
402a52c4555ae461ce909f1341677cbeddd3475a660721b131e9c138ce484f33a62f47ebfa18e9eb0837d98672cbbd7fcc9b5265ef55906ff8457a32a126eb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202c.exe

Filesize
400KB

MD5
77b722bb274e9a9139e96a11ff05c285

SHA1
819a202b9e4dd8e62b7dfdd1f8e220896e2815a2

SHA256
35d312320ce0e1a3ff091f2408d24bf9ae59ee9101882e75d79cd52536baf592

SHA512
8bdcc652834161f3f8decb75c60e2ade82a9493089583cf1cabe3905407550e37afab544cc65c08756621c40da99d6589c661e4f1027fb486b19c9b750ff9740

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202d.exe

Filesize
400KB

MD5
5db57ff131a1889bd0c0efd8a4316372

SHA1
6e139d4a9065ed8b2901700eb73b682ded79cd41

SHA256
13a7e93870a18cca768ad5f9dcd91d234f28c3eecf7ff0b10b2e11cdf04dd81a

SHA512
e0191ae3f54515c3eaf1ba92f57ef58170b0f8c3ca455b6fe422058aa0b360406b8b292577db0de348a75d1b660f02d3c20c6ddf0a267ea000a5b14cdda05660

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202e.exe

Filesize
400KB

MD5
b05b3883254da67238fc60f1c003175a

SHA1
776b857a40b4ce68bccb286882e01f79d60f84d3

SHA256
47d76d7345d44bb2aa1a3781d4db381a327b11a5b78c260360f603fa17b95966

SHA512
7bf691ed8e92aa1f6c10dfd7560baf5a3b3b5a706b342c8ee0488e7a32eb81dda07391a406a6fe35fff1a12093865ba0632294ced8bd46d8bc26bc7084862c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202f.exe

Filesize
400KB

MD5
941e90c3a2e51fd8f7def7b34337cc41

SHA1
7a678344ad38a01a52695a2fbd19cc1492d7f6e5

SHA256
14282b5aa033f9e94ecfccb67c3880df15770a4e001dda3f867c1f340edaf621

SHA512
b3eb29dfae34c98f3799cf1481f900e09cc4c0da603e2303206a09a47c93e9376d9351fac226ab9812144e17194dec14392b15ce2bf926fef972b56ab1d735bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202g.exe

Filesize
400KB

MD5
e67947e88705415d96ecc75369b1e487

SHA1
c5d8fcfc0de7b7737cfad1eaef44793c3bdae211

SHA256
3e54c02dfa394eebd5e2f9f30235f6fdfb9296ad8e46bbd9ad0f72b315e10f9b

SHA512
ca57fa36439f71b55870454536dcc5d76caa0cd8f50c707f40bb042f34a0a442fc3eec9646bb58f20fa957c91d775d86d12d318e09c72ed2603d4587fc579811

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202i.exe

Filesize
400KB

MD5
15833844dbd70ee8b56ef2b75babfa7a

SHA1
833222af14ee3a857e4031e4b27ac0cd50d99c6b

SHA256
6bc631d9b23162b66d794f74abb174a0140a0d215667b7e58589eff7fa905405

SHA512
99d38819f4f8b4b4823336be0b0761b9bbfcaec1bdee37852b2c8e28d580e18d78c09314d982fb496db4f2363340c7517154ad91f46ab19e7965d6edbe8e7b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202j.exe

Filesize
400KB

MD5
a3dff2b51d45e8491ecbd427e7158a38

SHA1
c9caea11cb3e6553d7c16bedf2d159433ea5aedf

SHA256
2b6736a6cdb822a76f1cd3b4eb67db09a4e0e2c0a604e05d9e68f4d39f8c639c

SHA512
d6b13149fb95cb1471c6d0708a95d5bbe859458eda62b123ca7daaf1a40e79ae1edcd6e295c44cdbb2655ff603d82b09e1ed5d7e5a5b49a52206b825a551e51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202k.exe

Filesize
400KB

MD5
7b50012f3e220037c84e4b8c94967616

SHA1
5ce200971e06cc58717b417648105c7313c3ecb3

SHA256
77a55fc8f292c2da93f47f063e7b81376a67f75e97bd89adcb8dccaacf69de06

SHA512
8e9d5fe53c980d30462d6a30dae9de5416766e796a9c6d015e38caa638c560d53d6963fa344d8d9073548a8e5c1bcdcde53b5d0fc58c485070fe0736f36a85d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202o.exe

Filesize
401KB

MD5
025efcb33fb2945baf5e996a2280a6a5

SHA1
29c7f4f128c10d52a748cd16bc4d6e07d0b0895a

SHA256
7f4ecfe6f467122332f22dcb21628bf68c815f4f497b9eb13f5246fa9577265f

SHA512
87ea4d73750b986f8a2fd887f3cc043660c270ed85bbccd7a030ae96cf5cef15e3b9c9e6c2cd61ed337ab32f7f302ee10c63ccde7757469743c15239c3c8fd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202q.exe

Filesize
401KB

MD5
0f5f5afae777a2ef389e24a4a667c84f

SHA1
a520153992f654cff2bed1a5408b082df4bcb3b2

SHA256
a9f3c3e934c419cfa3726ffe0a34e551bc688be888a296161133565831f10486

SHA512
82474fb829005c963895f1af75c90c6607c5acf7e57f188fd02eca2e772e88914ab679b11bb978cd5d06c777cf1b316d76ba25f055267f041737f3fec634642a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202t.exe

Filesize
402KB

MD5
dbbc95a811821927ed339212f5e01cdc

SHA1
0a6d86d6b837b256f2253c6415cd7284d44258bf

SHA256
24bb875964df1c84ed085eb46399e07b85516efa23881e4633c5c9e135739f71

SHA512
82a8d19d4201a8c82e87a5e201e4948cc1a50f905db09c43c068017126b09bf06748f61e4ce74e9d0a14deac45fe44e25cfebb5cc943e839cc827279c060efaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202v.exe

Filesize
402KB

MD5
e7c78e08fc6507b2d81e055879e1aa53

SHA1
98a01cc1140d222741ac30071df95cdb11263584

SHA256
b55cc36be725d69ced92184bc6e12b6b0b7f05006b926a6da8b089f6fb9d218e

SHA512
af13179d873859cde93929177b07406495ae750edc998dd0e6b5c69f360bec0103263d221240e3ee817f1b7f27cea5a0614b39b84a3409220297561813522e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202w.exe

Filesize
403KB

MD5
89fc0ed73a83ec5b8e6d44344e7fe630

SHA1
5310a68b8696d0a660781387e47bdb0e5bedb15c

SHA256
b1314b80186e5a580ddf4f5c5016868cdb0b14f398183be6f4318c620472163c

SHA512
c8ee9464ebac70a5d415724595648ce56e3d4a7221b3c3c5c7b4bfaf64d1d2119ea7a2999ff6ff622a1d4547af94b25f0b0cc9b7de317a3a2dc23a5572f4b99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202x.exe

Filesize
403KB

MD5
444539f3ce22b19f8bb480d616e1c780

SHA1
bd9cce81f9b63837947599980322581851859ecd

SHA256
eb429cb54121a31c9f1643aac7e01e342f82f3384b78a6909c2945c00effe358

SHA512
cf258085602359cb8677166f261d0658af901f5e2c81d5501a67a53a962a9f507c00353fb48a6b3e98b1c47aae84095eb5a59ade9ba5c11b1444843ab2cf28f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e4e30d5b2300d4ee00f15322e025470n_3202y.exe

Filesize
403KB

MD5
0a60cd6280a5376005d7a2f1fbcc2af7

SHA1
ea1bb19e607a768dbd2662f75c1bb88c02b784bc

SHA256
864cf2a466896a0b74f19fd82389d2d23f1441094cff0b79b070bd2d62169d6f

SHA512
b6dad2a689110756e307af45a386ba2000ead76dd6c06c60c87d2503373bb61cfb04ba02f88dec8b349f46e456a73bec12b7f300b75a8cad6ede100ae2dd41b3

Download Submit
\??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202h.exe

Filesize
400KB

MD5
68fa4d1c07577883426d6dd837e7c481

SHA1
7ee85eddef9bdc0c92095ee74981edfe132c9c63

SHA256
ddd3b45d50d4c159a50b382efe43b9def3b6265d10d28f2960ebee9df61d1866

SHA512
265e268285a6bf2c6d27f6c006c43224ad76e64ccd14e72b43d21dd50cfef35e9edfa81c86a097420228f4946f8c7ae3f9c8e3508999ee3c1fc3d6e6d7b0d8fb

Download Submit
\??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202l.exe

Filesize
400KB

MD5
1771a8cf9d86c7339d4b814701ea70af

SHA1
ed8d8e5439751e579c54aafd0210ff3dc1f1230a

SHA256
a655a38ab3a3d89ab98e39539616f99b004d6cf816e673068cf2f65e3b1d7406

SHA512
ce61396d7dd4b6e66f4185f939b57d5175504850445957c8eaac5fb89f4cdbdcacf913bd3489484ea5c9e9386425245837b6715d36bbdf1043472826e9da6490

Download Submit
\??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202m.exe

Filesize
400KB

MD5
ae8eb094ecdf5d819da491fd322ad849

SHA1
732cae66aa904f608f9d150d92c4c61d63f6c3c6

SHA256
e26f2385ccc475e4200ab730f1ef537e8303a8a0ab0fa5d2c1c1028fc7f278de

SHA512
d5d1932c51a176f576f72e44a873312ad5d0ec7b0d832f84f17fb53d1d2a755acd456adf5b8593512339e7bcb7de68b92e0071b804b4b623af4352b0adc1d252

Download Submit
\??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202n.exe

Filesize
400KB

MD5
655a1e0e589f77b88b0ba8d33041526d

SHA1
c2566785086c06b3d062ff969d827b42c4d2d8fe

SHA256
cca842cf7e8236d3a477ea25f10299ed917300215d0abfb1290d5c0d87e8e67b

SHA512
b97842ca2eb0c7b3504a0e874b4db6dde763af21cfde9cf36f2c3e980f4f1fad9e2e473be17f35a62d9660260c11cb6b93d6680f562f1365f3d1b207d315601f

Download Submit
\??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202p.exe

Filesize
401KB

MD5
f56d0d46431bf68b27aa6e190e0adb84

SHA1
40b0b3b62e982352e19ecc2a417aaa1fa82874bc

SHA256
95a0d47158c8ac94993e5c2048540c5f65003a5c4f48aebc974e8a8e5b48a9a5

SHA512
cfad5f7f086e1321be90f5a7fd3f8df77b5555d4a466c6b4fabf1252e66e849593e6104beb81d4e12355e16b02e74a877e3361292b6f429da42fc9144c7f09cf

Download Submit
\??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202r.exe

Filesize
401KB

MD5
7e856e94407780f0df89833f509bff9c

SHA1
758588e6d1e1013e8f359b116ccebeb397f5a56e

SHA256
701cbf7ebb9a73170e2b2a769f4fa2f80434b4df26accfc647d3e3ba919aff46

SHA512
30c6cfeac4b771cab4850aa0ae3752141160e4b94b0aedbbe0556386785380d339a1870178524faf5a1ebdff59eb41a6a1f2e9ad052b203a91122743db048a30

Download Submit
\??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202s.exe

Filesize
402KB

MD5
1c651c41e74ced0f20072f972d843a41

SHA1
faf1d469d54686365c277c5757b88d828e4716fe

SHA256
312a4bd2f995061a1a3d226348460434ca15c01800c596ea6ca4c33a8575a41c

SHA512
7b81a68eb1bcdf3f60cf34459c60dad20e0e2c6bd4f98a796678c668632c57e7d0d77a5e2222ed03aaba0fba7df972ef1938331c9cb342270dd510a5bd4bdf96

Download Submit
\??\c:\users\admin\appdata\local\temp\7e4e30d5b2300d4ee00f15322e025470n_3202u.exe

Filesize
402KB

MD5
f72eb301f04d502ca734a474708f0e66

SHA1
fad918c814e1d2948be38354817921facd6215e7

SHA256
fae41d7c75e8bca497ca5ce76a24797227ae9e837a11cb7d0ba24889818753ce

SHA512
29d8db20a7614b9c59354c71de80d67856990db157a0bc580cc94118749e29cc4419314acce2a8dc540e8f0232f4ae20366e31851be169d4e8ac1511cbb88022

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads