f5a101e63e549bb85e4a465c3277fe6a849a69eea341b9f2e7c4a0530d323866

Analysis

max time kernel
103s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf1f720025db59c63c5814d8a6a48040N.exe
Size

412KB
MD5

cf1f720025db59c63c5814d8a6a48040
SHA1

eef3cd136359ba3592f1d7766cfd69676b21b98a
SHA256

f5a101e63e549bb85e4a465c3277fe6a849a69eea341b9f2e7c4a0530d323866
SHA512

f5c8cc18d68439df5c8a31c2b940adec1df91536ada8c1156b20c9ba0f5a29c19ea24c02e7fbeceeaa09b32ac173b359f0734688e39cf26cd08d3232c2534864
SSDEEP

3072:Wae7OubpGGErCbuZM4EQrjo7vgHJJPPIjHCNxTKsVx/MV0e/PUAVhbUkZ48H4yx:WacxGfTMfQrjoziJJHIMuPJx

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2940	cf1f720025db59c63c5814d8a6a48040n_3202.exe
4160	cf1f720025db59c63c5814d8a6a48040n_3202a.exe
2772	cf1f720025db59c63c5814d8a6a48040n_3202b.exe
3232	cf1f720025db59c63c5814d8a6a48040n_3202c.exe
2396	cf1f720025db59c63c5814d8a6a48040n_3202d.exe
4296	cf1f720025db59c63c5814d8a6a48040n_3202e.exe
2032	cf1f720025db59c63c5814d8a6a48040n_3202f.exe
1656	cf1f720025db59c63c5814d8a6a48040n_3202g.exe
428	cf1f720025db59c63c5814d8a6a48040n_3202h.exe
3548	cf1f720025db59c63c5814d8a6a48040n_3202i.exe
1892	cf1f720025db59c63c5814d8a6a48040n_3202j.exe
2336	cf1f720025db59c63c5814d8a6a48040n_3202k.exe
4528	cf1f720025db59c63c5814d8a6a48040n_3202l.exe
3292	cf1f720025db59c63c5814d8a6a48040n_3202m.exe
1700	cf1f720025db59c63c5814d8a6a48040n_3202n.exe
832	cf1f720025db59c63c5814d8a6a48040n_3202o.exe
1480	cf1f720025db59c63c5814d8a6a48040n_3202p.exe
2380	cf1f720025db59c63c5814d8a6a48040n_3202q.exe
4916	cf1f720025db59c63c5814d8a6a48040n_3202r.exe
2560	cf1f720025db59c63c5814d8a6a48040n_3202s.exe
3656	cf1f720025db59c63c5814d8a6a48040n_3202t.exe
5004	cf1f720025db59c63c5814d8a6a48040n_3202u.exe
3600	cf1f720025db59c63c5814d8a6a48040n_3202v.exe
1512	cf1f720025db59c63c5814d8a6a48040n_3202w.exe
4784	cf1f720025db59c63c5814d8a6a48040n_3202x.exe
4108	cf1f720025db59c63c5814d8a6a48040n_3202y.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4868-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0006000000022998-5.dat	upx
behavioral2/memory/4868-10-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2940-18-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x00090000000233ea-20.dat	upx
behavioral2/memory/4160-21-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023431-28.dat	upx
behavioral2/memory/4160-31-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023432-38.dat	upx
behavioral2/memory/2772-40-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023434-50.dat	upx
behavioral2/memory/3232-51-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023435-58.dat	upx
behavioral2/memory/2396-60-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023436-68.dat	upx
behavioral2/memory/4296-70-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023437-78.dat	upx
behavioral2/memory/1656-87-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2032-81-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023438-90.dat	upx
behavioral2/memory/428-93-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1656-92-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023439-100.dat	upx
behavioral2/memory/428-102-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002343a-112.dat	upx
behavioral2/memory/3548-113-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002343b-120.dat	upx
behavioral2/memory/2336-124-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/1892-123-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002343c-131.dat	upx
behavioral2/memory/2336-133-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002343d-141.dat	upx
behavioral2/memory/3292-145-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4528-144-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3292-154-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000900000002342b-152.dat	upx
behavioral2/files/0x000700000002343e-162.dat	upx
behavioral2/memory/1700-164-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000700000002343f-172.dat	upx
behavioral2/memory/832-174-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023440-182.dat	upx
behavioral2/memory/1480-184-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023441-192.dat	upx
behavioral2/memory/4916-196-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0002000000022a83-203.dat	upx
behavioral2/memory/2560-207-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4916-206-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2380-195-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/2560-217-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023442-215.dat	upx
behavioral2/memory/3656-227-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0003000000022a80-226.dat	upx
behavioral2/files/0x0007000000023443-234.dat	upx
behavioral2/files/0x0007000000023444-245.dat	upx
behavioral2/memory/1512-249-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3600-248-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/3600-238-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/5004-237-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x0007000000023445-256.dat	upx
behavioral2/memory/1512-259-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4108-272-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/files/0x000a000000023386-268.dat	upx
behavioral2/memory/4108-270-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral2/memory/4784-269-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202h.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202p.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202.exe\""	cf1f720025db59c63c5814d8a6a48040N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202d.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202c.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202t.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202k.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202x.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202u.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202v.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202f.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202q.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202r.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202s.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202y.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202i.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202m.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202a.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202b.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202g.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202w.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202l.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202n.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202o.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202e.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\cf1f720025db59c63c5814d8a6a48040n_3202j.exe\""	cf1f720025db59c63c5814d8a6a48040n_3202i.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf1f720025db59c63c5814d8a6a48040n_3202v.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	cf1f720025db59c63c5814d8a6a48040n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 0a21efeed3d9c3b5	cf1f720025db59c63c5814d8a6a48040n_3202h.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 2940	4868	cf1f720025db59c63c5814d8a6a48040N.exe	83
PID 4868 wrote to memory of 2940	4868	cf1f720025db59c63c5814d8a6a48040N.exe	83
PID 4868 wrote to memory of 2940	4868	cf1f720025db59c63c5814d8a6a48040N.exe	83
PID 2940 wrote to memory of 4160	2940	cf1f720025db59c63c5814d8a6a48040n_3202.exe	84
PID 2940 wrote to memory of 4160	2940	cf1f720025db59c63c5814d8a6a48040n_3202.exe	84
PID 2940 wrote to memory of 4160	2940	cf1f720025db59c63c5814d8a6a48040n_3202.exe	84
PID 4160 wrote to memory of 2772	4160	cf1f720025db59c63c5814d8a6a48040n_3202a.exe	85
PID 4160 wrote to memory of 2772	4160	cf1f720025db59c63c5814d8a6a48040n_3202a.exe	85
PID 4160 wrote to memory of 2772	4160	cf1f720025db59c63c5814d8a6a48040n_3202a.exe	85
PID 2772 wrote to memory of 3232	2772	cf1f720025db59c63c5814d8a6a48040n_3202b.exe	86
PID 2772 wrote to memory of 3232	2772	cf1f720025db59c63c5814d8a6a48040n_3202b.exe	86
PID 2772 wrote to memory of 3232	2772	cf1f720025db59c63c5814d8a6a48040n_3202b.exe	86
PID 3232 wrote to memory of 2396	3232	cf1f720025db59c63c5814d8a6a48040n_3202c.exe	87
PID 3232 wrote to memory of 2396	3232	cf1f720025db59c63c5814d8a6a48040n_3202c.exe	87
PID 3232 wrote to memory of 2396	3232	cf1f720025db59c63c5814d8a6a48040n_3202c.exe	87
PID 2396 wrote to memory of 4296	2396	cf1f720025db59c63c5814d8a6a48040n_3202d.exe	89
PID 2396 wrote to memory of 4296	2396	cf1f720025db59c63c5814d8a6a48040n_3202d.exe	89
PID 2396 wrote to memory of 4296	2396	cf1f720025db59c63c5814d8a6a48040n_3202d.exe	89
PID 4296 wrote to memory of 2032	4296	cf1f720025db59c63c5814d8a6a48040n_3202e.exe	90
PID 4296 wrote to memory of 2032	4296	cf1f720025db59c63c5814d8a6a48040n_3202e.exe	90
PID 4296 wrote to memory of 2032	4296	cf1f720025db59c63c5814d8a6a48040n_3202e.exe	90
PID 2032 wrote to memory of 1656	2032	cf1f720025db59c63c5814d8a6a48040n_3202f.exe	92
PID 2032 wrote to memory of 1656	2032	cf1f720025db59c63c5814d8a6a48040n_3202f.exe	92
PID 2032 wrote to memory of 1656	2032	cf1f720025db59c63c5814d8a6a48040n_3202f.exe	92
PID 1656 wrote to memory of 428	1656	cf1f720025db59c63c5814d8a6a48040n_3202g.exe	93
PID 1656 wrote to memory of 428	1656	cf1f720025db59c63c5814d8a6a48040n_3202g.exe	93
PID 1656 wrote to memory of 428	1656	cf1f720025db59c63c5814d8a6a48040n_3202g.exe	93
PID 428 wrote to memory of 3548	428	cf1f720025db59c63c5814d8a6a48040n_3202h.exe	94
PID 428 wrote to memory of 3548	428	cf1f720025db59c63c5814d8a6a48040n_3202h.exe	94
PID 428 wrote to memory of 3548	428	cf1f720025db59c63c5814d8a6a48040n_3202h.exe	94
PID 3548 wrote to memory of 1892	3548	cf1f720025db59c63c5814d8a6a48040n_3202i.exe	96
PID 3548 wrote to memory of 1892	3548	cf1f720025db59c63c5814d8a6a48040n_3202i.exe	96
PID 3548 wrote to memory of 1892	3548	cf1f720025db59c63c5814d8a6a48040n_3202i.exe	96
PID 1892 wrote to memory of 2336	1892	cf1f720025db59c63c5814d8a6a48040n_3202j.exe	97
PID 1892 wrote to memory of 2336	1892	cf1f720025db59c63c5814d8a6a48040n_3202j.exe	97
PID 1892 wrote to memory of 2336	1892	cf1f720025db59c63c5814d8a6a48040n_3202j.exe	97
PID 2336 wrote to memory of 4528	2336	cf1f720025db59c63c5814d8a6a48040n_3202k.exe	98
PID 2336 wrote to memory of 4528	2336	cf1f720025db59c63c5814d8a6a48040n_3202k.exe	98
PID 2336 wrote to memory of 4528	2336	cf1f720025db59c63c5814d8a6a48040n_3202k.exe	98
PID 4528 wrote to memory of 3292	4528	cf1f720025db59c63c5814d8a6a48040n_3202l.exe	99
PID 4528 wrote to memory of 3292	4528	cf1f720025db59c63c5814d8a6a48040n_3202l.exe	99
PID 4528 wrote to memory of 3292	4528	cf1f720025db59c63c5814d8a6a48040n_3202l.exe	99
PID 3292 wrote to memory of 1700	3292	cf1f720025db59c63c5814d8a6a48040n_3202m.exe	100
PID 3292 wrote to memory of 1700	3292	cf1f720025db59c63c5814d8a6a48040n_3202m.exe	100
PID 3292 wrote to memory of 1700	3292	cf1f720025db59c63c5814d8a6a48040n_3202m.exe	100
PID 1700 wrote to memory of 832	1700	cf1f720025db59c63c5814d8a6a48040n_3202n.exe	101
PID 1700 wrote to memory of 832	1700	cf1f720025db59c63c5814d8a6a48040n_3202n.exe	101
PID 1700 wrote to memory of 832	1700	cf1f720025db59c63c5814d8a6a48040n_3202n.exe	101
PID 832 wrote to memory of 1480	832	cf1f720025db59c63c5814d8a6a48040n_3202o.exe	102
PID 832 wrote to memory of 1480	832	cf1f720025db59c63c5814d8a6a48040n_3202o.exe	102
PID 832 wrote to memory of 1480	832	cf1f720025db59c63c5814d8a6a48040n_3202o.exe	102
PID 1480 wrote to memory of 2380	1480	cf1f720025db59c63c5814d8a6a48040n_3202p.exe	103
PID 1480 wrote to memory of 2380	1480	cf1f720025db59c63c5814d8a6a48040n_3202p.exe	103
PID 1480 wrote to memory of 2380	1480	cf1f720025db59c63c5814d8a6a48040n_3202p.exe	103
PID 2380 wrote to memory of 4916	2380	cf1f720025db59c63c5814d8a6a48040n_3202q.exe	104
PID 2380 wrote to memory of 4916	2380	cf1f720025db59c63c5814d8a6a48040n_3202q.exe	104
PID 2380 wrote to memory of 4916	2380	cf1f720025db59c63c5814d8a6a48040n_3202q.exe	104
PID 4916 wrote to memory of 2560	4916	cf1f720025db59c63c5814d8a6a48040n_3202r.exe	105
PID 4916 wrote to memory of 2560	4916	cf1f720025db59c63c5814d8a6a48040n_3202r.exe	105
PID 4916 wrote to memory of 2560	4916	cf1f720025db59c63c5814d8a6a48040n_3202r.exe	105
PID 2560 wrote to memory of 3656	2560	cf1f720025db59c63c5814d8a6a48040n_3202s.exe	106
PID 2560 wrote to memory of 3656	2560	cf1f720025db59c63c5814d8a6a48040n_3202s.exe	106
PID 2560 wrote to memory of 3656	2560	cf1f720025db59c63c5814d8a6a48040n_3202s.exe	106
PID 3656 wrote to memory of 5004	3656	cf1f720025db59c63c5814d8a6a48040n_3202t.exe	107

C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040N.exe
"C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4868
- \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202.exe
  c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2940
- - \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202a.exe
    c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202b.exe
      c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202c.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
      - \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202d.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202e.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202f.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202g.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202h.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202i.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202j.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202k.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202l.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202m.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202n.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202o.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202p.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202q.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202r.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202s.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202t.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202u.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202v.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202w.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202x.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4784
        
        \??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202y.exe
        
        c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202.exe

Filesize
412KB

MD5
5f0457ab990b1f134542a98b93e2d650

SHA1
a08c5b32f4cfec7a160fe79734b5f20ea487f733

SHA256
528bf34cd95fd38486d07f58dfb3f9d31a2d53509028f5be6537454bb922ad04

SHA512
459b6ae4fed18f6911bca044b3fad638199b347eb5a9825169fa4fcac404eceae4a79be05777ffd2a02c4be895fc0150aa0713cf7d712a7c2f96f309fd53f75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202b.exe

Filesize
413KB

MD5
d555f5fe017b3baf827ed265bd00588a

SHA1
cbe06c0fbcddb325acfbdd5a0c4530bf6d1138b8

SHA256
7c2d6688ddec00cf077aa08e7bda2f394e0acda406edbecac714169dd9af8bbc

SHA512
55d95adb13e89656f7a7f0f4ac97bc9f245334fe396b885d7b4c7e473ee297e564444d8d683d86f2954de6978f4ddc9fda697396ea3cf8641248e4724f3ed81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202c.exe

Filesize
413KB

MD5
805d62e295669e5984b447a21b6e44ed

SHA1
8fa35fd8be120cda4b5f4f7109a5aec4170e78ff

SHA256
66fae89f5d40a6013f74f8ffc1ba6b611bea582274d5678603ef1cf83b42af61

SHA512
eacf34346dd09f3f53efdb984bf2ab8f8b50f394e432689f2ecd72e0a7208569055ea78d085ea2d430445c751c3ad7727bf0d28a4daa8370d2e162e73bb5bf7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202e.exe

Filesize
413KB

MD5
1fe018bf96bd80557742f36312917f57

SHA1
2a783618634923572939eddfc4abc3eeeea565b3

SHA256
82aa587f796b7de2c174989d5d62ef0ff017a4ce89519d0bd52761729ddc8498

SHA512
776949d778a4e80bd91882acf90c39fd14557657f1dd29c41c39382980d4edd5d8c65b5beca47a7447750f55921ff38c8468e8f4437817d75c55d31e7083484e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202f.exe

Filesize
414KB

MD5
ef30b92395cc215cf821fc44bc393fb7

SHA1
ad70374d07f66359eaf4303b516db762f43bd7a8

SHA256
8929784bdea23cd5eff8aecc78c06763bb5313dcde92511af5ced39df6b18bad

SHA512
8a74267725c4eac4ff06ec326eead3405e3e6fe083c93f3c77def8ae0a25e55fca7ac73c5d753a073216d8f532401cfb0e9eddf709ab01cc64c05a2c3bde3bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202g.exe

Filesize
414KB

MD5
eb8c6206d2a9f564fb96b97ce656113a

SHA1
64b4b68aa5d709ed907cdedf70cb5ec06ae25140

SHA256
e7c26a2dd98fbb6336d6ce3f8ad26116df6e2450577704145017bfc0872e9220

SHA512
753b9a5d152986a36e0301e1f4a8b952836261706ed43c8afcc9858842bf7c40158e46e521889b64dce519836473c39e867e0beb48b625748166330720b94c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202i.exe

Filesize
414KB

MD5
00b90004626ef55fc03542af08d14513

SHA1
207b91a4ad7d812b3d7dc32db8087a1b2e6738f6

SHA256
b22fb72de8e3bd92cf313edbdea42093ca9ebc64b332dae86e6c7b9cd5396bd7

SHA512
95957df46970070f1d255d4f4ea63297883df8ef0192d852a52e368276bebac98a2c58f2aec501c43a2a343caf4d13941f8aa19f7706210279e127d069af0cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202k.exe

Filesize
415KB

MD5
8a5de73e52d65b128d5a59b9f4cd4c13

SHA1
2270fcf03b1543ae7b8a185604927ab402999353

SHA256
cbe84394dbffdc5a87dd1d5c64b28f654ac31e81961822d0d8bc47df6b304695

SHA512
d9787ca18fc7ff2a658b6054f006fb51f09c282b925c3e7e04e144103cfb25e62c16970192a407f42e0a07f2e79c99724a71ea3766afcdd5df9f435d07c5a872

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202l.exe

Filesize
415KB

MD5
691694c60e32814754372d051931e739

SHA1
25c86f6a2bfd48469cf1200b6e49c0a279e90b15

SHA256
1e211584e5b81d42ac52ee2985943bf846400f430031ae3bb0276747615b3133

SHA512
a9368dedaf64165e5cb2b3d81a350c03f29d8a8d3679fef430755e3987386374c85ec6c8e52b03f06d49c43ad2ae1e2809001bbe7eac51c7ec21e7ac496049df

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202m.exe

Filesize
415KB

MD5
e4e943c2001176e2caa309f194665c8d

SHA1
d4d8609b91ae70bda70e4468ae7a3651e2b68e43

SHA256
c07e7dce1560a00fbe9750a5980360c0a4e8d1d7df2d0265af2d0937c8b5eecc

SHA512
8aa2d3f3a797b22b97a9cd29cada35dd872f7e16bc560a98d208157d48fa9e55221f93ece0df18fe6a05cec22438451c1c7d80e3b3ea345c6fb81bee33699d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202n.exe

Filesize
416KB

MD5
2a7a7f055757acef380a6e70a8147415

SHA1
fd8221df48822c70f744f38097b92d9f2052747e

SHA256
cf85f99f8aebd7eb3049712c71c9e2f843fd0cb3c05f850cec33e9721396a91b

SHA512
756918ec3b5a9803a50cfc50a216f2fd51437ae901059e7d45ee367a31ecb5ed6cf51c04b4367ac5fa19d5e7f634f50fca33c893a2f993dbf392ada2bc379726

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202o.exe

Filesize
416KB

MD5
54e9665a0b3feffc03e47ea8e75dfb10

SHA1
6627c05fe2d8335bd610b9e45f6defe6da3bb63f

SHA256
555a8579d593aa8200efff3f1b3b657bcc69d956141c6d78d62b9760e6fbd22e

SHA512
cc6c5e0db86801a3b31c19dfcf8fe22866bf8d13508c215e5bd54b76f8061c19b92ebb77511d03ee01f2d00d8f0b6b1897695b6325ab9be878f88176630868f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202p.exe

Filesize
416KB

MD5
8ff330104f03a14fca8a723c7807aa74

SHA1
5f892c95262fa2ac7429920a8d456f3d87822a8d

SHA256
37c0bbaffc3393aa4c34e2d2f006154bfb4b6fa9dc33bd944ff0c903f7796593

SHA512
05091e0fb6fe33a118107f15e950df8d2273c3e4ade0bd54e0e6a6c2267f910372b752e23eef04d15c3a29220d73ae124bd91683fd7ccfe04c2ba42b9833df34

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202q.exe

Filesize
416KB

MD5
1bdc854c1983810e63aba5b6c1419656

SHA1
66adcc497f38457e36788e42a87c999361bb49a0

SHA256
fa5b6a0e7a01c8d9138e8a596f959b88454cfb6056b1c2cce658887aa4a1af42

SHA512
1366ac823da14d9c0d94df52fafa6961ccaaef37246c42f099d5559333b4193a895fda5b992205cbf061ce1d95038a93c3e5a4aab41130dd1c585851693460f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202r.exe

Filesize
416KB

MD5
f5777651913890a6ae160893f1cb9337

SHA1
f79d1dbe47f673cb201f2ba122414b0a6e503b2a

SHA256
757f86127f6e3b872abae348c0f200c6e0ea41b0b2ef79aed13b2bd275b5fedc

SHA512
7d30cb63097b04082d57d616dc03dacb6f7b3d396fe62a9a8377ac20c854b732f9d8deede1756d73d1a68d3d70d26208cc72df5eb13a9be25ed84135f38130f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202s.exe

Filesize
417KB

MD5
bdec7d56af2047fd2516f4b613372e27

SHA1
d6ce1008eebe6c8c4769a92fbe5b52d4f2ca3600

SHA256
18d7f2c105c8c1ec9746f7db0570c8b4588236b59ecd110e0a163807e77841d4

SHA512
0a80b1d1434be7584df25fcd30dc6673d169f8b45e0aff9d6fc0985dd7b5ad06924534e9b472d87226226cf61b6f80dfc1295840a4d700c5fe8058197c8c50d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202v.exe

Filesize
417KB

MD5
befba2e618a4ae5d4bb171bbb44ca9a9

SHA1
433a9c31d6f1da4797a9a958d607160299f48849

SHA256
104617d9fed81f92f7c7d97c02345f40a2056c6c84f65f1afdf3ff1b19879d11

SHA512
6d31a3722dabaa863c130c9e42eeaad73211597c681d9c8aaf41092ef5f89a517faf25ae39af0bcce5cd94c4796d890cf93b84d36d168494ae1b9e34941008aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202w.exe

Filesize
418KB

MD5
b42fe3c233bf91345dddfd64a77974f6

SHA1
d8355fbb92baf77e3830a1c81a73c1eb2e35b481

SHA256
5bf8ef37622d1e16a975555767ad87a030935a3e0d94d4cf5e1fef29ca967d61

SHA512
d22e5206a33734e43361d1a58e325b66610cd429653d9f917d41477d1f7ecb4e952dc1f3ea0cac6d0394a181bf3336a518a2cbccbfb978fae461f1e135c2498c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf1f720025db59c63c5814d8a6a48040n_3202x.exe

Filesize
418KB

MD5
70aaa09daedb33b35a7b8f1dff99a0d8

SHA1
631d9551046f0f0ad76800a6cb915cce5022db42

SHA256
1c3a4032a9778dbe7ae093507524ad457f0f23785b1a69a270e9adbcd491abbf

SHA512
54d4b7420e76c9a184c7cd1467e8fad0a6e96e880726f09e194b72f804403be09cc9ed32077642bf72cd2e1ad376f137abeb1a05265677ada85dc083b58503a9

Download Submit
\??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202a.exe

Filesize
413KB

MD5
38a6873e95c0c417baf337492409dbe5

SHA1
9affb5ed372780bff94d1ff88d0ae0e8a85243d5

SHA256
c289e269a3b2b9388d279943a5d9bdebf4fe59e0e79e599accf531e74559db1d

SHA512
ba791548806e1fdaf9d39566c6e18dd1141bc28e202ab19e734f9de9c507e13ac1e473c99f472665690c3748c88fb5e17bc4fd5a77e10879db5313ad79c0942c

Download Submit
\??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202d.exe

Filesize
413KB

MD5
116095368587fe3a2328899329b36faf

SHA1
a0acdf4945287bd71fffc965a6c54cfd433d1a1b

SHA256
98aa76a1fb2544338ab8130ff0e0c08e89d3ae79ca866f86c5236ad209d308a0

SHA512
37e59e234893f8e4796cee0918f7087f0891da152bff54ca6ef945b8ab8447bd0aab098bb93a5fcdd79c52809b6cf47cc8820f65654d6fbfc23c65147280979a

Download Submit
\??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202h.exe

Filesize
414KB

MD5
258c6d696ffb8cef5594a3bfb930c14c

SHA1
058c39bf0b51ad37f13974655ac0cca84fe80ae4

SHA256
bccc58d17a60ead424e9d39492d6e805944744824e546c1f35152baf67136735

SHA512
2c1d02acd878ab585b8e8de89f6f650575573c0b2dd7653b8e10df8f4819034e8ec6523dc28baf24739e0568bc770b8a79950aec77c8872f130e802b438246fa

Download Submit
\??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202j.exe

Filesize
415KB

MD5
f6cb6a8591084885a47d0bf60c33e23c

SHA1
d9624145c6b1cf29f5cf211301b40103a124a356

SHA256
270f82216f161adeaa28d0960a45346c8c54413e5203a4644853f02bf065a99b

SHA512
bab2b2712b8d100cbe1ad84fc8f4e7b1c62dfc92e56315fe137d2938ed31468805469ef3e609cb36fc542767962b7ac0b5b3d223c501d6226e3fb0ab9b30bc41

Download Submit
\??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202t.exe

Filesize
417KB

MD5
957465f9aee3e5cd50fe4b3b84077acd

SHA1
c9e24c4fb91fd3b66db75cb6973239990439dfc4

SHA256
58b93c62ff81162afeb76778b7800945edae9501e7ab0762dc6c165408657c47

SHA512
26c383afa45e66b4cc883a07a489205897478e91569db777e5a6e05932a1cd1513f18c2eccc8ee8dcb3f8f54b4e2f02e4d1137a6993fb418b2b11f0bc37f7c85

Download Submit
\??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202u.exe

Filesize
417KB

MD5
f3240034c1ee532a04d2107cfd3c93d5

SHA1
eb6e328cf7b8138756ad938c6674220daa6477d5

SHA256
4e768640197e8be41b95850ae38e33435fa604ab309d449aa036808fa652429d

SHA512
b9125cbe5de2ed9d0676d9906134ef549a2ccafb618b11a5dd6d6679038fa67b9165421395761ac5866f9f5dc0a6df5d59d1d9cfc273ec52cfdd08a4ae9e14d3

Download Submit
\??\c:\users\admin\appdata\local\temp\cf1f720025db59c63c5814d8a6a48040n_3202y.exe

Filesize
418KB

MD5
61fa4f5a7a66b7c0a74b59ae55ae208d

SHA1
91d0bb7b22d01e7b5e9d44e2fe7b55f00ac10a5e

SHA256
54072b693b2cdb097e6f512ceab257da82e2fcbbbffd816bd6768fa1542985c6

SHA512
1a729f76851b1334c4b2a003695be5688fe14ae0cd2a604179c462cc2c67ccd76cf5d5145a028d59ea76423d8654a43338be6b338850ffb78c8690e66d202612

Download Submit
memory/428-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/428-93-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/832-174-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1480-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-249-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1656-92-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1700-164-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1892-123-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2032-81-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2336-124-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2380-195-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2396-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2560-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2560-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2772-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2940-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3232-51-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3292-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3292-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3548-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3600-238-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3600-248-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3656-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4108-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4108-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4160-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4160-31-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4296-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4528-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4784-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4868-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4868-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4916-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4916-196-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5004-237-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads