b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 18:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe
Size

581KB
MD5

41c4cfeaad13d0b7cdc0db72331d13c0
SHA1

0b2e4d28656061b4706cec89ec84cb5c12dd5192
SHA256

b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957
SHA512

6d0fee4f3856dd10139631e2ba9d5b5eea07822aa0d583c683c9dd3ce97d6a5be472f49c34bcc4f3df0ad51cf2525b0133dadda35899be4d2ed56bc53616c7a9
SSDEEP

6144:UhbZ5hMTNFf8LAurlEzAX7oEwfSZ4sXUzQI6FyKezcdwgamz:KtXMzqrllX73wfEI6c0

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2756	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe
2152	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe
2576	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe
2564	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe
1988	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe
2912	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe
2648	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe
1728	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe
676	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe
2388	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe
556	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe
2536	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe
2228	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe
2108	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe
1976	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe
1816	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe
592	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe
1448	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe
1476	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe
1672	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe
2968	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe
1924	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe
1804	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe
2120	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe
2700	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe
2676	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202y.exe

Loads dropped DLL 52 IoCs

pid	Process
2268	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe
2268	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe
2756	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe
2756	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe
2152	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe
2152	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe
2576	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe
2576	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe
2564	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe
2564	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe
1988	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe
1988	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe
2912	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe
2912	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe
2648	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe
2648	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe
1728	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe
1728	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe
676	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe
676	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe
2388	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe
2388	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe
556	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe
556	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe
2536	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe
2536	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe
2228	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe
2228	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe
2108	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe
2108	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe
1976	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe
1976	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe
1816	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe
1816	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe
592	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe
592	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe
1448	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe
1448	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe
1476	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe
1476	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe
1672	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe
1672	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe
2968	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe
2968	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe
1924	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe
1924	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe
1804	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe
1804	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe
2120	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe
2120	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe
2700	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe
2700	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2268-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x000e00000001228d-6.dat	upx
behavioral1/memory/2756-14-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2268-12-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2756-29-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2576-44-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2152-43-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2576-60-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2564-73-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x000600000001945c-81.dat	upx
behavioral1/memory/1988-90-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2912-103-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1728-121-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2648-120-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1728-134-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/676-151-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2388-165-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2536-182-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/556-180-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2228-198-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2108-213-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0005000000019f47-226.dat	upx
behavioral1/memory/1816-243-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1448-265-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1672-297-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1924-314-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1924-319-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2676-353-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2700-352-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2700-342-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2120-341-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2120-336-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1804-330-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1804-320-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2968-308-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2968-298-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1672-287-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1476-286-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1476-276-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1448-275-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/592-264-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/592-254-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1816-253-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1976-240-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/1976-228-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2108-225-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2228-210-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2536-195-0x0000000000400000-0x000000000043B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202y.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202y.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets = 42577cfad1ef3e13	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2756	2268	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe	31
PID 2268 wrote to memory of 2756	2268	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe	31
PID 2268 wrote to memory of 2756	2268	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe	31
PID 2268 wrote to memory of 2756	2268	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe	31
PID 2756 wrote to memory of 2152	2756	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe	32
PID 2756 wrote to memory of 2152	2756	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe	32
PID 2756 wrote to memory of 2152	2756	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe	32
PID 2756 wrote to memory of 2152	2756	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe	32
PID 2152 wrote to memory of 2576	2152	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe	33
PID 2152 wrote to memory of 2576	2152	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe	33
PID 2152 wrote to memory of 2576	2152	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe	33
PID 2152 wrote to memory of 2576	2152	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe	33
PID 2576 wrote to memory of 2564	2576	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe	34
PID 2576 wrote to memory of 2564	2576	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe	34
PID 2576 wrote to memory of 2564	2576	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe	34
PID 2576 wrote to memory of 2564	2576	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe	34
PID 2564 wrote to memory of 1988	2564	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe	35
PID 2564 wrote to memory of 1988	2564	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe	35
PID 2564 wrote to memory of 1988	2564	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe	35
PID 2564 wrote to memory of 1988	2564	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe	35
PID 1988 wrote to memory of 2912	1988	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe	36
PID 1988 wrote to memory of 2912	1988	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe	36
PID 1988 wrote to memory of 2912	1988	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe	36
PID 1988 wrote to memory of 2912	1988	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe	36
PID 2912 wrote to memory of 2648	2912	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe	37
PID 2912 wrote to memory of 2648	2912	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe	37
PID 2912 wrote to memory of 2648	2912	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe	37
PID 2912 wrote to memory of 2648	2912	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe	37
PID 2648 wrote to memory of 1728	2648	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe	38
PID 2648 wrote to memory of 1728	2648	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe	38
PID 2648 wrote to memory of 1728	2648	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe	38
PID 2648 wrote to memory of 1728	2648	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe	38
PID 1728 wrote to memory of 676	1728	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe	39
PID 1728 wrote to memory of 676	1728	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe	39
PID 1728 wrote to memory of 676	1728	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe	39
PID 1728 wrote to memory of 676	1728	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe	39
PID 676 wrote to memory of 2388	676	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe	40
PID 676 wrote to memory of 2388	676	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe	40
PID 676 wrote to memory of 2388	676	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe	40
PID 676 wrote to memory of 2388	676	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe	40
PID 2388 wrote to memory of 556	2388	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe	41
PID 2388 wrote to memory of 556	2388	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe	41
PID 2388 wrote to memory of 556	2388	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe	41
PID 2388 wrote to memory of 556	2388	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe	41
PID 556 wrote to memory of 2536	556	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe	42
PID 556 wrote to memory of 2536	556	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe	42
PID 556 wrote to memory of 2536	556	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe	42
PID 556 wrote to memory of 2536	556	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe	42
PID 2536 wrote to memory of 2228	2536	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe	43
PID 2536 wrote to memory of 2228	2536	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe	43
PID 2536 wrote to memory of 2228	2536	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe	43
PID 2536 wrote to memory of 2228	2536	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe	43
PID 2228 wrote to memory of 2108	2228	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe	44
PID 2228 wrote to memory of 2108	2228	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe	44
PID 2228 wrote to memory of 2108	2228	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe	44
PID 2228 wrote to memory of 2108	2228	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe	44
PID 2108 wrote to memory of 1976	2108	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe	45
PID 2108 wrote to memory of 1976	2108	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe	45
PID 2108 wrote to memory of 1976	2108	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe	45
PID 2108 wrote to memory of 1976	2108	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe	45
PID 1976 wrote to memory of 1816	1976	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe	46
PID 1976 wrote to memory of 1816	1976	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe	46
PID 1976 wrote to memory of 1816	1976	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe	46
PID 1976 wrote to memory of 1816	1976	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe	46

C:\Users\Admin\AppData\Local\Temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe
"C:\Users\Admin\AppData\Local\Temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268
- \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe
  c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2756
- - \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe
    c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe
      c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2576
    - - \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        \??\c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202y.exe
        
        c:\users\admin\appdata\local\temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202y.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe

Filesize
581KB

MD5
7804b566d8948227ad363daa265dfa18

SHA1
99ed956682c2fc3769bcc3b860061cb774d3d2ab

SHA256
716a908c7a5bd49dbca319915aad750c16c7e17f47f7e89001cfc778db0b4e65

SHA512
c6b87ff0e69c4a146beb32e083d3a63a8152606cf101b8d7389faeead3d823d032b121aafb1ba54b30624d38dfbbdfe5a40cb4a6e59b7c8384bcc1f656a99710

Download Submit
\Users\Admin\AppData\Local\Temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe

Filesize
581KB

MD5
50202ed51cbe52be9654a399c33543a4

SHA1
61c77e4ae460d7ed36e76d26cee5d37fc62bf643

SHA256
cc380ebb22d69d41856f97e884638a1ad97f86ce0a8f388a020517c05983bbf7

SHA512
927a2a5c822819145eee049840180e1ffd829bedf65c3fe6b303f014d9406209f979eb5d0f616e0fc7351078c142317495fce742497587b9eb77afa986700f2c

Download Submit
\Users\Admin\AppData\Local\Temp\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe

Filesize
581KB

MD5
605ff490f87108ca0d99d76ee0b5571d

SHA1
ca490ac8be98dc07f7f441222792674712137347

SHA256
2a65de9c27944aee1e53b8fe12b67995041bb61ee49f20a73e9b52b77b693d17

SHA512
d600bbfdee3938e1ccb3576d615ee99bd829ed3cdd6d6970ae883a8b3d29e8680556a4dfc9c4dfcef4ae2112a6100fc267970c2c404e3d90d467f4322f7c53bf

Download Submit
memory/556-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/556-179-0x0000000000540000-0x000000000057B000-memory.dmp

Filesize
236KB

Download
memory/592-264-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/592-254-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/676-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/676-148-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/676-149-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/1448-275-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1448-265-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1476-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1476-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1672-297-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1672-287-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1728-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-330-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-243-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1816-253-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1924-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1924-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1976-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1976-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1988-88-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1988-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1988-87-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2108-225-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2108-213-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2120-336-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2120-341-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2152-43-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2228-210-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2228-198-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2268-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2268-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2388-160-0x0000000001D30000-0x0000000001D6B000-memory.dmp

Filesize
236KB

Download
memory/2388-165-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2536-195-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2536-182-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2564-73-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2576-44-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2576-57-0x0000000000360000-0x000000000039B000-memory.dmp

Filesize
236KB

Download
memory/2576-58-0x0000000000360000-0x000000000039B000-memory.dmp

Filesize
236KB

Download
memory/2576-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2648-117-0x0000000001C20000-0x0000000001C5B000-memory.dmp

Filesize
236KB

Download
memory/2648-118-0x0000000001C20000-0x0000000001C5B000-memory.dmp

Filesize
236KB

Download
memory/2648-120-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2676-353-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-342-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2756-29-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2756-27-0x00000000003A0000-0x00000000003DB000-memory.dmp

Filesize
236KB

Download
memory/2756-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2912-103-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2968-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2968-308-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202v.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202y.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202f.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202s.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202u.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202t.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202e.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202d.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202r.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202q.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202x.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202w.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202h.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202n.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202l.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202k.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202p.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202o.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler = "\"c:\\users\\admin\\appdata\\local\\temp\\b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202j.exe\""	b3045a086d6445a42b9367920e0db51092d9188cb8d0d13f98856c6faa96e957n_3202i.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads