ceec0a9cc6bed7c9a678a71f4f1b99ccf18ecce78983f11b4dce269336cd400f

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

436377e810c418beb09d38e3ac54cb60N.exe
Size

553KB
MD5

436377e810c418beb09d38e3ac54cb60
SHA1

eb709c967c88e842ff9562cb8dd1fc2d8918baa7
SHA256

ceec0a9cc6bed7c9a678a71f4f1b99ccf18ecce78983f11b4dce269336cd400f
SHA512

0dfb8365b1866310e6868e3dafe65484707fdf7c848248c2b4d52018b489bae82aea74f641307921f8e9071572211b58d848df8c5468bd536579c1811b04291f
SSDEEP

6144:NhbZ5hMTNFf8LAurlEzAX7orwfSZ4sXUzQIHfXuPJ2:/tXMzqrllX7EwfEIHM2

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2000	436377e810c418beb09d38e3ac54cb60n_3202.exe
2332	436377e810c418beb09d38e3ac54cb60n_3202a.exe
1064	436377e810c418beb09d38e3ac54cb60n_3202b.exe
3144	436377e810c418beb09d38e3ac54cb60n_3202c.exe
1964	436377e810c418beb09d38e3ac54cb60n_3202d.exe
3948	436377e810c418beb09d38e3ac54cb60n_3202e.exe
4960	436377e810c418beb09d38e3ac54cb60n_3202f.exe
3324	436377e810c418beb09d38e3ac54cb60n_3202g.exe
3424	436377e810c418beb09d38e3ac54cb60n_3202h.exe
3520	436377e810c418beb09d38e3ac54cb60n_3202i.exe
1048	436377e810c418beb09d38e3ac54cb60n_3202j.exe
3588	436377e810c418beb09d38e3ac54cb60n_3202k.exe
4768	436377e810c418beb09d38e3ac54cb60n_3202l.exe
4428	436377e810c418beb09d38e3ac54cb60n_3202m.exe
4244	436377e810c418beb09d38e3ac54cb60n_3202n.exe
2092	436377e810c418beb09d38e3ac54cb60n_3202o.exe
3252	436377e810c418beb09d38e3ac54cb60n_3202p.exe
1632	436377e810c418beb09d38e3ac54cb60n_3202q.exe
1796	436377e810c418beb09d38e3ac54cb60n_3202r.exe
3240	436377e810c418beb09d38e3ac54cb60n_3202s.exe
2896	436377e810c418beb09d38e3ac54cb60n_3202t.exe
740	436377e810c418beb09d38e3ac54cb60n_3202u.exe
2052	436377e810c418beb09d38e3ac54cb60n_3202v.exe
4020	436377e810c418beb09d38e3ac54cb60n_3202w.exe
4264	436377e810c418beb09d38e3ac54cb60n_3202x.exe
2584	436377e810c418beb09d38e3ac54cb60n_3202y.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3728-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x000900000002346d-5.dat	upx
behavioral2/memory/3728-8-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2332-27-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2000-17-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1064-36-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3144-45-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3948-70-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4960-71-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1048-106-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1048-112-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3588-111-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3520-108-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3520-92-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3424-91-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3588-121-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x0002000000022aa8-130.dat	upx
behavioral2/memory/4768-129-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2092-156-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1632-172-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3252-166-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1632-176-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4020-233-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4264-242-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2584-243-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x0003000000000707-241.dat	upx
behavioral2/memory/2052-222-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/740-212-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/740-210-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2896-213-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1796-201-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/2896-200-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3240-199-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3240-190-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4244-147-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4428-138-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3324-87-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/1964-60-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/3948-54-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202c.exe\""	436377e810c418beb09d38e3ac54cb60n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202q.exe\""	436377e810c418beb09d38e3ac54cb60n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202w.exe\""	436377e810c418beb09d38e3ac54cb60n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202y.exe\""	436377e810c418beb09d38e3ac54cb60n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202a.exe\""	436377e810c418beb09d38e3ac54cb60n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202d.exe\""	436377e810c418beb09d38e3ac54cb60n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202e.exe\""	436377e810c418beb09d38e3ac54cb60n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202j.exe\""	436377e810c418beb09d38e3ac54cb60n_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202l.exe\""	436377e810c418beb09d38e3ac54cb60n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202m.exe\""	436377e810c418beb09d38e3ac54cb60n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202o.exe\""	436377e810c418beb09d38e3ac54cb60n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202g.exe\""	436377e810c418beb09d38e3ac54cb60n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202p.exe\""	436377e810c418beb09d38e3ac54cb60n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202v.exe\""	436377e810c418beb09d38e3ac54cb60n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202i.exe\""	436377e810c418beb09d38e3ac54cb60n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202k.exe\""	436377e810c418beb09d38e3ac54cb60n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202n.exe\""	436377e810c418beb09d38e3ac54cb60n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202r.exe\""	436377e810c418beb09d38e3ac54cb60n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202f.exe\""	436377e810c418beb09d38e3ac54cb60n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202h.exe\""	436377e810c418beb09d38e3ac54cb60n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202s.exe\""	436377e810c418beb09d38e3ac54cb60n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202t.exe\""	436377e810c418beb09d38e3ac54cb60n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202.exe\""	436377e810c418beb09d38e3ac54cb60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202b.exe\""	436377e810c418beb09d38e3ac54cb60n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202u.exe\""	436377e810c418beb09d38e3ac54cb60n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\436377e810c418beb09d38e3ac54cb60n_3202x.exe\""	436377e810c418beb09d38e3ac54cb60n_3202w.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	436377e810c418beb09d38e3ac54cb60n_3202w.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 8feb7946d2706dc9	436377e810c418beb09d38e3ac54cb60n_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	436377e810c418beb09d38e3ac54cb60n_3202o.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 2000	3728	436377e810c418beb09d38e3ac54cb60N.exe	83
PID 3728 wrote to memory of 2000	3728	436377e810c418beb09d38e3ac54cb60N.exe	83
PID 3728 wrote to memory of 2000	3728	436377e810c418beb09d38e3ac54cb60N.exe	83
PID 2000 wrote to memory of 2332	2000	436377e810c418beb09d38e3ac54cb60n_3202.exe	84
PID 2000 wrote to memory of 2332	2000	436377e810c418beb09d38e3ac54cb60n_3202.exe	84
PID 2000 wrote to memory of 2332	2000	436377e810c418beb09d38e3ac54cb60n_3202.exe	84
PID 2332 wrote to memory of 1064	2332	436377e810c418beb09d38e3ac54cb60n_3202a.exe	86
PID 2332 wrote to memory of 1064	2332	436377e810c418beb09d38e3ac54cb60n_3202a.exe	86
PID 2332 wrote to memory of 1064	2332	436377e810c418beb09d38e3ac54cb60n_3202a.exe	86
PID 1064 wrote to memory of 3144	1064	436377e810c418beb09d38e3ac54cb60n_3202b.exe	88
PID 1064 wrote to memory of 3144	1064	436377e810c418beb09d38e3ac54cb60n_3202b.exe	88
PID 1064 wrote to memory of 3144	1064	436377e810c418beb09d38e3ac54cb60n_3202b.exe	88
PID 3144 wrote to memory of 1964	3144	436377e810c418beb09d38e3ac54cb60n_3202c.exe	89
PID 3144 wrote to memory of 1964	3144	436377e810c418beb09d38e3ac54cb60n_3202c.exe	89
PID 3144 wrote to memory of 1964	3144	436377e810c418beb09d38e3ac54cb60n_3202c.exe	89
PID 1964 wrote to memory of 3948	1964	436377e810c418beb09d38e3ac54cb60n_3202d.exe	90
PID 1964 wrote to memory of 3948	1964	436377e810c418beb09d38e3ac54cb60n_3202d.exe	90
PID 1964 wrote to memory of 3948	1964	436377e810c418beb09d38e3ac54cb60n_3202d.exe	90
PID 3948 wrote to memory of 4960	3948	436377e810c418beb09d38e3ac54cb60n_3202e.exe	92
PID 3948 wrote to memory of 4960	3948	436377e810c418beb09d38e3ac54cb60n_3202e.exe	92
PID 3948 wrote to memory of 4960	3948	436377e810c418beb09d38e3ac54cb60n_3202e.exe	92
PID 4960 wrote to memory of 3324	4960	436377e810c418beb09d38e3ac54cb60n_3202f.exe	93
PID 4960 wrote to memory of 3324	4960	436377e810c418beb09d38e3ac54cb60n_3202f.exe	93
PID 4960 wrote to memory of 3324	4960	436377e810c418beb09d38e3ac54cb60n_3202f.exe	93
PID 3324 wrote to memory of 3424	3324	436377e810c418beb09d38e3ac54cb60n_3202g.exe	95
PID 3324 wrote to memory of 3424	3324	436377e810c418beb09d38e3ac54cb60n_3202g.exe	95
PID 3324 wrote to memory of 3424	3324	436377e810c418beb09d38e3ac54cb60n_3202g.exe	95
PID 3424 wrote to memory of 3520	3424	436377e810c418beb09d38e3ac54cb60n_3202h.exe	96
PID 3424 wrote to memory of 3520	3424	436377e810c418beb09d38e3ac54cb60n_3202h.exe	96
PID 3424 wrote to memory of 3520	3424	436377e810c418beb09d38e3ac54cb60n_3202h.exe	96
PID 3520 wrote to memory of 1048	3520	436377e810c418beb09d38e3ac54cb60n_3202i.exe	97
PID 3520 wrote to memory of 1048	3520	436377e810c418beb09d38e3ac54cb60n_3202i.exe	97
PID 3520 wrote to memory of 1048	3520	436377e810c418beb09d38e3ac54cb60n_3202i.exe	97
PID 1048 wrote to memory of 3588	1048	436377e810c418beb09d38e3ac54cb60n_3202j.exe	98
PID 1048 wrote to memory of 3588	1048	436377e810c418beb09d38e3ac54cb60n_3202j.exe	98
PID 1048 wrote to memory of 3588	1048	436377e810c418beb09d38e3ac54cb60n_3202j.exe	98
PID 3588 wrote to memory of 4768	3588	436377e810c418beb09d38e3ac54cb60n_3202k.exe	99
PID 3588 wrote to memory of 4768	3588	436377e810c418beb09d38e3ac54cb60n_3202k.exe	99
PID 3588 wrote to memory of 4768	3588	436377e810c418beb09d38e3ac54cb60n_3202k.exe	99
PID 4768 wrote to memory of 4428	4768	436377e810c418beb09d38e3ac54cb60n_3202l.exe	101
PID 4768 wrote to memory of 4428	4768	436377e810c418beb09d38e3ac54cb60n_3202l.exe	101
PID 4768 wrote to memory of 4428	4768	436377e810c418beb09d38e3ac54cb60n_3202l.exe	101
PID 4428 wrote to memory of 4244	4428	436377e810c418beb09d38e3ac54cb60n_3202m.exe	102
PID 4428 wrote to memory of 4244	4428	436377e810c418beb09d38e3ac54cb60n_3202m.exe	102
PID 4428 wrote to memory of 4244	4428	436377e810c418beb09d38e3ac54cb60n_3202m.exe	102
PID 4244 wrote to memory of 2092	4244	436377e810c418beb09d38e3ac54cb60n_3202n.exe	103
PID 4244 wrote to memory of 2092	4244	436377e810c418beb09d38e3ac54cb60n_3202n.exe	103
PID 4244 wrote to memory of 2092	4244	436377e810c418beb09d38e3ac54cb60n_3202n.exe	103
PID 2092 wrote to memory of 3252	2092	436377e810c418beb09d38e3ac54cb60n_3202o.exe	104
PID 2092 wrote to memory of 3252	2092	436377e810c418beb09d38e3ac54cb60n_3202o.exe	104
PID 2092 wrote to memory of 3252	2092	436377e810c418beb09d38e3ac54cb60n_3202o.exe	104
PID 3252 wrote to memory of 1632	3252	436377e810c418beb09d38e3ac54cb60n_3202p.exe	105
PID 3252 wrote to memory of 1632	3252	436377e810c418beb09d38e3ac54cb60n_3202p.exe	105
PID 3252 wrote to memory of 1632	3252	436377e810c418beb09d38e3ac54cb60n_3202p.exe	105
PID 1632 wrote to memory of 1796	1632	436377e810c418beb09d38e3ac54cb60n_3202q.exe	106
PID 1632 wrote to memory of 1796	1632	436377e810c418beb09d38e3ac54cb60n_3202q.exe	106
PID 1632 wrote to memory of 1796	1632	436377e810c418beb09d38e3ac54cb60n_3202q.exe	106
PID 1796 wrote to memory of 3240	1796	436377e810c418beb09d38e3ac54cb60n_3202r.exe	107
PID 1796 wrote to memory of 3240	1796	436377e810c418beb09d38e3ac54cb60n_3202r.exe	107
PID 1796 wrote to memory of 3240	1796	436377e810c418beb09d38e3ac54cb60n_3202r.exe	107
PID 3240 wrote to memory of 2896	3240	436377e810c418beb09d38e3ac54cb60n_3202s.exe	108
PID 3240 wrote to memory of 2896	3240	436377e810c418beb09d38e3ac54cb60n_3202s.exe	108
PID 3240 wrote to memory of 2896	3240	436377e810c418beb09d38e3ac54cb60n_3202s.exe	108
PID 2896 wrote to memory of 740	2896	436377e810c418beb09d38e3ac54cb60n_3202t.exe	109

C:\Users\Admin\AppData\Local\Temp\436377e810c418beb09d38e3ac54cb60N.exe
"C:\Users\Admin\AppData\Local\Temp\436377e810c418beb09d38e3ac54cb60N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3728
- \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202.exe
  c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2000
- - \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202a.exe
    c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202b.exe
      c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1064
    - - \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202c.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202d.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202e.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202f.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202g.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202h.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202i.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202j.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202k.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202l.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202m.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202n.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202o.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202p.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202q.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202r.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202s.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202t.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202u.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:740
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202v.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202w.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202x.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4264
        
        \??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202y.exe
        
        c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\436377e810c418beb09d38e3ac54cb60n_3202.exe

Filesize
553KB

MD5
4f6026a1a07f66b1f23cf7145dc1af18

SHA1
3ab8dd4d69ac13ca92abad6d5b2bb2b4060a860b

SHA256
81f866e1477c7df27ba617a6527e85e89e36bd5b42accedffa23befa227de68f

SHA512
f437c58e181fa8a5c227822b8565c181517887d41459cad7037f38c127aa0e105af9d7c4026a2d089afd455ac664d5011b6048493040d539e0218e08d08a0c8b

Download Submit
\??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202m.exe

Filesize
553KB

MD5
174cdf22eab9de604a646fad77ff795c

SHA1
18ccd462350b9e53fbc0d4dee8124e5f3cb69ec1

SHA256
33fc15384c442dff580c844eb86a6459b7f7babc9555059149d834c1ef884f89

SHA512
2da75ab7790aa96be196cc7bdaf2c4a4b8e6214c548b0fa1811426c5c056cd21dac465f6942bd2237c272bd4a8a3ef113c9dc17da4dcc29d02b0a3be63196051

Download Submit
\??\c:\users\admin\appdata\local\temp\436377e810c418beb09d38e3ac54cb60n_3202y.exe

Filesize
553KB

MD5
32d235acc8a82e58b2e25903a55279a1

SHA1
ec36f97895b2db84121588dd99f850dc89e4aade

SHA256
17930410654938efae0996fe2714d0119474be58fca41774b0a59b24f963864c

SHA512
4ad72e7bffe9fad67c2e03183067e047ee6dfeace3863fea80b3f358acb095df08f70e42a45f74ccabc1a596cd6e0e73582f92b21747add8debfd7e7a97b9949

Download Submit
memory/740-210-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/740-212-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1048-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1048-112-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1064-36-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1632-176-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1632-172-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1796-201-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1964-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2000-17-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2052-222-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2092-156-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2332-27-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2584-243-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2896-213-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2896-200-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3144-45-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3240-199-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3240-190-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3252-166-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3324-87-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3424-91-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3520-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3520-92-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3588-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3588-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3728-8-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3728-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4020-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4244-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4264-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4428-138-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4768-129-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4960-71-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads