513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe
Size

236KB
MD5

c1e62907ed35bdcf40cba87bbd0b0a80
SHA1

92573d5cc32c0eb5b65ac382638dad835c9d1dc1
SHA256

513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687
SHA512

c8fe1cb1d7b1a9537dc1043c05d83135511b998aeb2f2fea4eb936ac6efa7bbfb57d47995edf435734de9ebe348da353d3125667bda9e7e0300d1875632ae008
SSDEEP

6144:9hbZ5hMTNFf8LAurlEzAX7o5hn8wVSZ2sXRv:vtXMzqrllX7618w8

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1100	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe
2384	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe
4604	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe
3832	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe
2888	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe
1456	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe
3512	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe
3168	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe
3104	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe
792	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe
2396	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe
3340	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe
1072	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe
4596	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe
2960	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe
4196	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe
1524	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe
4032	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe
2016	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe
1708	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe
2228	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202t.exe
4200	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202u.exe
232	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202v.exe
2956	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202w.exe
1776	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202x.exe
2348	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202y.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202w.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202v.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = b352022344c2a0a7	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202y.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1100	2692	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe	82
PID 2692 wrote to memory of 1100	2692	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe	82
PID 2692 wrote to memory of 1100	2692	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe	82
PID 1100 wrote to memory of 2384	1100	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe	83
PID 1100 wrote to memory of 2384	1100	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe	83
PID 1100 wrote to memory of 2384	1100	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe	83
PID 2384 wrote to memory of 4604	2384	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe	84
PID 2384 wrote to memory of 4604	2384	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe	84
PID 2384 wrote to memory of 4604	2384	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe	84
PID 4604 wrote to memory of 3832	4604	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe	85
PID 4604 wrote to memory of 3832	4604	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe	85
PID 4604 wrote to memory of 3832	4604	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe	85
PID 3832 wrote to memory of 2888	3832	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe	86
PID 3832 wrote to memory of 2888	3832	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe	86
PID 3832 wrote to memory of 2888	3832	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe	86
PID 2888 wrote to memory of 1456	2888	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe	87
PID 2888 wrote to memory of 1456	2888	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe	87
PID 2888 wrote to memory of 1456	2888	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe	87
PID 1456 wrote to memory of 3512	1456	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe	88
PID 1456 wrote to memory of 3512	1456	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe	88
PID 1456 wrote to memory of 3512	1456	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe	88
PID 3512 wrote to memory of 3168	3512	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe	89
PID 3512 wrote to memory of 3168	3512	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe	89
PID 3512 wrote to memory of 3168	3512	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe	89
PID 3168 wrote to memory of 3104	3168	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe	90
PID 3168 wrote to memory of 3104	3168	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe	90
PID 3168 wrote to memory of 3104	3168	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe	90
PID 3104 wrote to memory of 792	3104	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe	91
PID 3104 wrote to memory of 792	3104	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe	91
PID 3104 wrote to memory of 792	3104	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe	91
PID 792 wrote to memory of 2396	792	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe	92
PID 792 wrote to memory of 2396	792	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe	92
PID 792 wrote to memory of 2396	792	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe	92
PID 2396 wrote to memory of 3340	2396	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe	93
PID 2396 wrote to memory of 3340	2396	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe	93
PID 2396 wrote to memory of 3340	2396	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe	93
PID 3340 wrote to memory of 1072	3340	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe	94
PID 3340 wrote to memory of 1072	3340	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe	94
PID 3340 wrote to memory of 1072	3340	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe	94
PID 1072 wrote to memory of 4596	1072	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe	95
PID 1072 wrote to memory of 4596	1072	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe	95
PID 1072 wrote to memory of 4596	1072	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe	95
PID 4596 wrote to memory of 2960	4596	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe	96
PID 4596 wrote to memory of 2960	4596	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe	96
PID 4596 wrote to memory of 2960	4596	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe	96
PID 2960 wrote to memory of 4196	2960	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe	97
PID 2960 wrote to memory of 4196	2960	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe	97
PID 2960 wrote to memory of 4196	2960	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe	97
PID 4196 wrote to memory of 1524	4196	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe	98
PID 4196 wrote to memory of 1524	4196	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe	98
PID 4196 wrote to memory of 1524	4196	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe	98
PID 1524 wrote to memory of 4032	1524	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe	99
PID 1524 wrote to memory of 4032	1524	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe	99
PID 1524 wrote to memory of 4032	1524	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe	99
PID 4032 wrote to memory of 2016	4032	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe	100
PID 4032 wrote to memory of 2016	4032	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe	100
PID 4032 wrote to memory of 2016	4032	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe	100
PID 2016 wrote to memory of 1708	2016	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe	101
PID 2016 wrote to memory of 1708	2016	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe	101
PID 2016 wrote to memory of 1708	2016	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe	101
PID 1708 wrote to memory of 2228	1708	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe	102
PID 1708 wrote to memory of 2228	1708	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe	102
PID 1708 wrote to memory of 2228	1708	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe	102
PID 2228 wrote to memory of 4200	2228	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202t.exe	103

C:\Users\Admin\AppData\Local\Temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe
"C:\Users\Admin\AppData\Local\Temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692
- \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe
  c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1100
- - \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe
    c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe
      c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4604
    - - \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
      - \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202t.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202t.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202u.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202u.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202v.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202v.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:232
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202w.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202w.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202x.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202x.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        \??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202y.exe
        
        c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe

Filesize
236KB

MD5
3cd7ae547d9b6e795f678e9400ec1f25

SHA1
2fef162c158629e9f2a93c7db99909906ab7306f

SHA256
71cb7e544dc8a6f009fc83d4baa4aa3d237bab5c763c75f9d98e491f42daa0c7

SHA512
d091d96399bbd7722c235da4a9effb92f811f151fb946987a6c4d90d288079d5e2e16c89343e1bd19e174e1ac15b6bc762262301bd3110546b3b870d412fba5a

Download Submit
\??\c:\users\admin\appdata\local\temp\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe

Filesize
236KB

MD5
85bdcdf13913bc77ea1ec2b88a303e88

SHA1
f949096ff38e9c3d96b94fd82b76ebbfab29ed10

SHA256
27d0fdbb714ee2f96739465d56d38c93e5b8de92015d46c451cc1217cf80522f

SHA512
dff030f91c025421b669c5d65c0df363ca733491a09f088fe5c02527b7192312475265b3fdd7a423bcde9931a2ad7e442325c852ed3375e5cbb12de74bc448f2

Download Submit
memory/232-219-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/792-100-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1072-127-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1100-8-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1100-18-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1456-64-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1524-164-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1708-192-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/1776-237-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2016-172-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2016-183-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2228-201-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2348-238-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2384-27-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2396-109-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2692-0-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2692-10-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2888-54-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2956-228-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/2960-146-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3104-90-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3168-81-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3340-110-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3340-119-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3512-73-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/3832-46-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4032-173-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4196-154-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4200-210-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4596-136-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download
memory/4604-37-0x0000000000400000-0x000000000043AB3B-memory.dmp

Filesize
234KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202t.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202v.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202f.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202s.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202y.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202u.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202o.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202m.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202w.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202i.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202l.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202k.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202q.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202x.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202d.exe\""	513df439eb9164cacc436a4b757d094ba15854c4f344e2d864015616bd567687n_3202c.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads