9738f1fbd04a2907c9eeb7e8605bebec1a58610ad5b01954a6562e18c33b6c57

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80b23ef03554ddf1408a66d0367ab7b0N.exe
Size

520KB
MD5

80b23ef03554ddf1408a66d0367ab7b0
SHA1

43ff79e2dbf48761c9a6c8f984e9e670cdf7c912
SHA256

9738f1fbd04a2907c9eeb7e8605bebec1a58610ad5b01954a6562e18c33b6c57
SHA512

e129f133b5088329c30c1c4f9b6b452a192ddd9d34606e536fd50b78a8834b874c1f7eefa8469039b3dcaeca45cab30d581ad9d6fc95b66a49623c0558de7a24
SSDEEP

6144:rqppuGRYx4H712f/SBTpzZA6rXD40b+7TJACRNpnZtfeQIROl9as+660obyWcEKJ:rqpNtb1YIp9AI4FA+pnh

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2680	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe
2684	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe
2844	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe
2548	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe
1960	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe
2756	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe
1404	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe
1592	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe
1620	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe
1604	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe
772	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe
2148	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe
2268	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe
444	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe
960	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe
1720	80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe
1468	80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe
2172	80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe
1864	80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe
2964	80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe
1728	80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe
3016	80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe
1532	80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe
2812	80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe
2804	80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe
2860	80b23ef03554ddf1408a66d0367ab7b0n_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
3056	80b23ef03554ddf1408a66d0367ab7b0N.exe
3056	80b23ef03554ddf1408a66d0367ab7b0N.exe
2680	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe
2680	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe
2684	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe
2684	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe
2844	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe
2844	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe
2548	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe
2548	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe
1960	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe
1960	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe
2756	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe
2756	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe
1404	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe
1404	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe
1592	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe
1592	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe
1620	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe
1620	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe
1604	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe
1604	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe
772	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe
772	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe
2148	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe
2148	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe
2268	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe
2268	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe
444	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe
444	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe
960	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe
960	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe
1720	80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe
1720	80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe
1468	80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe
1468	80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe
2172	80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe
2172	80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe
1864	80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe
1864	80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe
2964	80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe
2964	80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe
1728	80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe
1728	80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe
3016	80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe
3016	80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe
1532	80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe
1532	80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe
2812	80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe
2812	80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe
2804	80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe
2804	80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202y.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202.exe\""	80b23ef03554ddf1408a66d0367ab7b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe\""	80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = c855c0dcf1c9048a	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2680	3056	80b23ef03554ddf1408a66d0367ab7b0N.exe	31
PID 3056 wrote to memory of 2680	3056	80b23ef03554ddf1408a66d0367ab7b0N.exe	31
PID 3056 wrote to memory of 2680	3056	80b23ef03554ddf1408a66d0367ab7b0N.exe	31
PID 3056 wrote to memory of 2680	3056	80b23ef03554ddf1408a66d0367ab7b0N.exe	31
PID 2680 wrote to memory of 2684	2680	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe	32
PID 2680 wrote to memory of 2684	2680	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe	32
PID 2680 wrote to memory of 2684	2680	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe	32
PID 2680 wrote to memory of 2684	2680	80b23ef03554ddf1408a66d0367ab7b0n_3202.exe	32
PID 2684 wrote to memory of 2844	2684	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe	33
PID 2684 wrote to memory of 2844	2684	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe	33
PID 2684 wrote to memory of 2844	2684	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe	33
PID 2684 wrote to memory of 2844	2684	80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe	33
PID 2844 wrote to memory of 2548	2844	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe	34
PID 2844 wrote to memory of 2548	2844	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe	34
PID 2844 wrote to memory of 2548	2844	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe	34
PID 2844 wrote to memory of 2548	2844	80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe	34
PID 2548 wrote to memory of 1960	2548	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe	35
PID 2548 wrote to memory of 1960	2548	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe	35
PID 2548 wrote to memory of 1960	2548	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe	35
PID 2548 wrote to memory of 1960	2548	80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe	35
PID 1960 wrote to memory of 2756	1960	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe	36
PID 1960 wrote to memory of 2756	1960	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe	36
PID 1960 wrote to memory of 2756	1960	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe	36
PID 1960 wrote to memory of 2756	1960	80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe	36
PID 2756 wrote to memory of 1404	2756	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe	37
PID 2756 wrote to memory of 1404	2756	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe	37
PID 2756 wrote to memory of 1404	2756	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe	37
PID 2756 wrote to memory of 1404	2756	80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe	37
PID 1404 wrote to memory of 1592	1404	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe	38
PID 1404 wrote to memory of 1592	1404	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe	38
PID 1404 wrote to memory of 1592	1404	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe	38
PID 1404 wrote to memory of 1592	1404	80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe	38
PID 1592 wrote to memory of 1620	1592	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe	39
PID 1592 wrote to memory of 1620	1592	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe	39
PID 1592 wrote to memory of 1620	1592	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe	39
PID 1592 wrote to memory of 1620	1592	80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe	39
PID 1620 wrote to memory of 1604	1620	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe	40
PID 1620 wrote to memory of 1604	1620	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe	40
PID 1620 wrote to memory of 1604	1620	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe	40
PID 1620 wrote to memory of 1604	1620	80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe	40
PID 1604 wrote to memory of 772	1604	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe	41
PID 1604 wrote to memory of 772	1604	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe	41
PID 1604 wrote to memory of 772	1604	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe	41
PID 1604 wrote to memory of 772	1604	80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe	41
PID 772 wrote to memory of 2148	772	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe	42
PID 772 wrote to memory of 2148	772	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe	42
PID 772 wrote to memory of 2148	772	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe	42
PID 772 wrote to memory of 2148	772	80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe	42
PID 2148 wrote to memory of 2268	2148	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe	43
PID 2148 wrote to memory of 2268	2148	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe	43
PID 2148 wrote to memory of 2268	2148	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe	43
PID 2148 wrote to memory of 2268	2148	80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe	43
PID 2268 wrote to memory of 444	2268	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe	44
PID 2268 wrote to memory of 444	2268	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe	44
PID 2268 wrote to memory of 444	2268	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe	44
PID 2268 wrote to memory of 444	2268	80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe	44
PID 444 wrote to memory of 960	444	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe	45
PID 444 wrote to memory of 960	444	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe	45
PID 444 wrote to memory of 960	444	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe	45
PID 444 wrote to memory of 960	444	80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe	45
PID 960 wrote to memory of 1720	960	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe	46
PID 960 wrote to memory of 1720	960	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe	46
PID 960 wrote to memory of 1720	960	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe	46
PID 960 wrote to memory of 1720	960	80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe	46

C:\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0N.exe
"C:\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056
- \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202.exe
  c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe
    c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe
      c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2844
    - - \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        \??\c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202y.exe
        
        c:\users\admin\appdata\local\temp\80b23ef03554ddf1408a66d0367ab7b0n_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202.exe

Filesize
520KB

MD5
f782fa17d53cc1dcda2b56c7c62eb8e8

SHA1
13fa2036a22977cb5a25c5f0e7b9ae3d1e7d57f7

SHA256
dbbd392328fd4e8255fa64234400278009610605660649e4bd1f8dde9bb2b16b

SHA512
03e47a6164adc6bc453165d636ca143db37345d6a43099eaa292cd6d3fda1e0cc2f65580f4596854b78c8e194340fcca21130fc21ed04a11f26450b79d9d745e

Download Submit
C:\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202a.exe

Filesize
520KB

MD5
e77b04ad25614ee851a076a0bb9c99ad

SHA1
3e17c002f36e6d7ae6eb0d6c5f0ba265ea460e39

SHA256
89872ce25326ab19e6b25c7b4e29d4f740f1db54d3902c084e9c12dbdaa7856c

SHA512
2a9c43bd0d49425dce3936b2693140853e727fbbbf1063658c9a98c7d8c535a4b63c4c6081a48a3c64210d1f00d4eb8f20d751ce7b46ad35582fd9fd732d7330

Download Submit
C:\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202d.exe

Filesize
521KB

MD5
f18160dcc38b2065f04c718925f9d83a

SHA1
801a30f46e42f80685128e04401d8aa32e7425fd

SHA256
8549087a60f5c5c5b28718e4c68661efed0e664729f1ce1e3841bf296c7d283c

SHA512
41c7b7f91b1f0797e0ef846c4eccf575f599a1b6dd8efe345c3364f3929e9204e84bdda985a19702cbd5649eca4f4ea4ae66a948aec50d28f76bb882b7f67483

Download Submit
C:\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202h.exe

Filesize
522KB

MD5
f356a477c2d699e9c88b7babd8c06732

SHA1
aef619f85709be9d1b5d1de2061c92c21c97b1b2

SHA256
54bc8218ccb887a65c7f21e77723ff73c5f443eb98a6aa2b697b5774c100200d

SHA512
877add10e65c1e3d6c1eaf4dce59f1f13fa9296c06ebc442439f071e28876b65c0996961a0eb7f0a8149845f4a52e246d4631929a8a6035153950d5265eab1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202l.exe

Filesize
523KB

MD5
313cc5c92d441b911b911877a76f0434

SHA1
9fd5a43d28681e01e93002416abdfb3b2b0608af

SHA256
c2374e7f39c346474156354b53ab2d0d731bc713803b41b5bee5f2eef3a9009b

SHA512
97289f0d4c3b8df7e4c3712a8df8a5b1ecba676e525423e33cf68cf273675e35c31621de92e5bee8769192fb975694ba50a4576205c13b50d477eb822afb9d04

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202b.exe

Filesize
521KB

MD5
1179d359acd46398100334ab0407fc1a

SHA1
f18e2b598d3a05f5b2bcb8e4bf96a2a1bf498817

SHA256
f10138087de1c70152b1ebecb391c660d659cace0316a9f59964f72039fb71b6

SHA512
bb4ee35cdd8b38601dc3dd176cebc10ea47cbc7b13fff318d5730391e95dbd3a54f23734440cd2c18022ec9f26a81ca7a2b42e9b0ea8b2b346a0e09bede3e4bb

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202c.exe

Filesize
521KB

MD5
cca93262feb4353a8981b8c8e0207bd8

SHA1
36b51a7d2db80cdb77a3d8cd966786508bd48f34

SHA256
06b09ebe145a1391c92cdf53203f84e17cef058c0482b20463f908248d23f9b9

SHA512
3758f618cd80a83551eb5a5ea8744c315ec97f0feaff7de9469c38d71c76ac1d49b6e55f308198c23f1d188c27ea0aed15c988f76f75881f0f3491da2a51052a

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202e.exe

Filesize
521KB

MD5
c5d27af6f1ea65fe8171eb6e12cedac2

SHA1
820b973edb38a7475f6c54f835c7e0a64bec120e

SHA256
0396654dba9fb228d581f1c90f19c691de4a76f133a9097e0f328ea7a7229687

SHA512
fb0717aef1c905f464793092a0b3d78499170c304b1f9b7bd1c6e058354aee7a8975fa1d53c5dcced802ac1814abc6db022f6a8f675fd9a7c27dd9bf505f6074

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202f.exe

Filesize
522KB

MD5
c336ad1c0d4318a54f699564d5e85085

SHA1
6402a28bce593c8693429f54b8c5e68dcc27f83d

SHA256
336c5e02a07ebfbfdd808cf726c231027811b0a5d37a5c1685e78a657a7b9534

SHA512
3207dfccb91a8818302aa7325f7c0e2ea219d806d598f7816d3563f9fc5845ff20ccee7909012e8e983722b50ebe0c20b37bd75f40a1634c40c5c6dff720a604

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202g.exe

Filesize
522KB

MD5
9d9960809a56a98fe1538e4389846fcc

SHA1
baf895bec7d29cda0fe6ea14bd41d3e46921a96a

SHA256
d027b6facad19b8a95be53818bf54494ff95a47543cc38704a9ad2d4dd24cc35

SHA512
e50eee9bb11eeadfdc3be022ca94438b36a9132aba096aa2cf8bdeabd287d5f7463cee8891bba828656670eaafd2845a17d61330272faa0f500a84a07b6f5b81

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202i.exe

Filesize
522KB

MD5
2747c1314d0203e86859e958d63f2231

SHA1
2fd8d01f889e0147764054af84e4c08dd7e93049

SHA256
021fdc1ac5f980946e019e1ee5c20b1eb7a933fc20efb11c172f9dd8b41cfe4f

SHA512
35c54f0c6cabab381889b71a5ff4f1e5917a0aa0bebc63c3eee9ee4476080fa1da55dad3c3a5f5841dfdb3d064282ff25256800b6c9df2d69a0a272bbb606078

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202j.exe

Filesize
522KB

MD5
9ab6cf0b4ffdf5169335d251195ab601

SHA1
6c3771ecda97741232e78d01611dd854434db2ba

SHA256
7637023428fac18c4de8451860ad3c7734cbd1572d0c150526fa726a1a0ffda8

SHA512
626f9fb69ee2bd2ed3ee7d8eb79b6c0a1fa3bc62cbe6c18be160267a5937702b1dc10122b097880dbf81822043ca6d39452524b08292668ddbed985f0c719a37

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202k.exe

Filesize
523KB

MD5
f8ab540ebde9fd557593a9e8b841b44b

SHA1
93476cfb4003aef7b35ba19656d432150e077b71

SHA256
c4d1ba2e0079e516f077b33922b15afc65ed0c59775e86fd0fbfaaf78335102b

SHA512
99df9276499c38faf6070289a446b01182784f5e5090871f22543320837b83d5bc9a62c9ca4f1298bebb832be2d3d9a0d4cd151b7e098da13093b2e99b09c3ab

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202m.exe

Filesize
523KB

MD5
3cfea6cc6ad624029cb27fdfc0cab1af

SHA1
f35d8c789a8573f7c4a41279dcf98857dafb93ae

SHA256
cc6c0d4c470c319f9947cf99e7c004bf0fce9acde46d8e050e43f02e22284296

SHA512
9f3d81756b04695f0f132028eb2369d59d2d58ad6f74b9814aa72555d7202dac11f5916c4f08e648cc09283ee1325109895a2b0818dd6c8e0427ead45571538b

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202n.exe

Filesize
523KB

MD5
edfb53999f9fb56d6eb8cfae44671daf

SHA1
fe6373a4e6d935a60a8390edbf8f0d9a44cbebe9

SHA256
48575f19591fc00966c02b2ab979d2566957885cb39d3f21e994a78252d45eb4

SHA512
b0969780e9f12e015e43410f3bc2405e1e5870f5759ad45ad2efc3665a90152dce3c62c159078c632f4b43f044b6c62dc64e989fc9003e67e768820c067e0ccf

Download Submit
\Users\Admin\AppData\Local\Temp\80b23ef03554ddf1408a66d0367ab7b0n_3202o.exe

Filesize
524KB

MD5
c5932311e45f0acfbc8a01279ebed6ad

SHA1
50cefb62e7c143c2e89ad52f95d32ba25bdde188

SHA256
04b909501b12e66a905000b8c6505d9f9cfa5e55b75397e3f08f15ddc302c402

SHA512
533726452d72ec3f16f3b827803b6097e4bc590a63065a841299f971b7551cf14d4b5399b1ab5c64847ef92a930948df29fb109ebb2466629b934720f1e7cec3

Download Submit
memory/444-229-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/444-226-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/444-235-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/772-187-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/960-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/960-248-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1404-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1468-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1468-275-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1532-349-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-126-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1592-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1604-166-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/1620-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1720-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-325-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/1728-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-299-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1960-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1960-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-189-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-288-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2172-289-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2172-287-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2268-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-78-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2680-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2680-30-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/2680-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2684-45-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-109-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-372-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2812-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2812-350-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2844-59-0x0000000000780000-0x00000000007C2000-memory.dmp

Filesize
264KB

Download
memory/2844-61-0x0000000000780000-0x00000000007C2000-memory.dmp

Filesize
264KB

Download
memory/2844-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-373-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2964-309-0x0000000000370000-0x00000000003B2000-memory.dmp

Filesize
264KB

Download
memory/2964-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2964-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3016-337-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/3016-338-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-8-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/3056-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads