f1d10b9078cdfaee5d84454bd5fbf8d95e0da16fce677d29943ed503d51b4fab

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
14-12-2020 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b320b2d23159f10e47d51db6efad1e4b.exe
Size

384KB
MD5

b320b2d23159f10e47d51db6efad1e4b
SHA1

f734ad3f90a01113a57b6d48ce7429f2cd94f8d6
SHA256

f1d10b9078cdfaee5d84454bd5fbf8d95e0da16fce677d29943ed503d51b4fab
SHA512

0b7e6454b4fdacd51cbe56558d77f0fde2f5d8df41da27f7caf6aa74ee1bccfaa83c859b08b7165ce1903ac39895b6f6abd00ada35b2b6167eafc1ef3792fa38

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b320b2d23159f10e47d51db6efad1e4b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	b320b2d23159f10e47d51db6efad1e4b.exe

Modifies system executable filetype association 2 TTPs 22 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe

Drops file in Drivers directory 46 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Loads dropped DLL 1 IoCs

Processes:

b320b2d23159f10e47d51db6efad1e4b.exe

pid process

1204 b320b2d23159f10e47d51db6efad1e4b.exe

Adds Run key to start application 2 TTPs 88 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe

Enumerates connected drives 3 TTPs 440 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\N:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\E:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\G:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\X:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\P:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\E:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\J:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\U:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\N:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\N:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\H:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\L:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\U:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\X:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\K:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\T:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\F:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\F:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\F:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\H:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\G:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\J:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\I:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\R:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\F:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\I:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\M:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\Q:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\O:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\H:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\Q:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\H:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\L:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\N:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\N:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\T:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\M:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\J:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\X:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\H:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\S:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\P:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\F:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\O:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\M:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\K:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\N:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\O:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\L:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\H:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\F:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\S:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\F:	b320b2d23159f10e47d51db6efad1e4b.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b320b2d23159f10e47d51db6efad1e4b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	b320b2d23159f10e47d51db6efad1e4b.exe

Drops file in System32 directory 1 IoCs

Processes:

b320b2d23159f10e47d51db6efad1e4b.exe

description ioc process

File created C:\Windows\SysWOW64\ftp33.dll b320b2d23159f10e47d51db6efad1e4b.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ftp33.dll	b320b2d23159f10e47d51db6efad1e4b.exe

Modifies registry class 22 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pid	process
1204	b320b2d23159f10e47d51db6efad1e4b.exe
1204	b320b2d23159f10e47d51db6efad1e4b.exe
1572	b320b2d23159f10e47d51db6efad1e4b.exe
532	b320b2d23159f10e47d51db6efad1e4b.exe
1736	b320b2d23159f10e47d51db6efad1e4b.exe
528	b320b2d23159f10e47d51db6efad1e4b.exe
1968	b320b2d23159f10e47d51db6efad1e4b.exe
1672	b320b2d23159f10e47d51db6efad1e4b.exe
748	b320b2d23159f10e47d51db6efad1e4b.exe
856	b320b2d23159f10e47d51db6efad1e4b.exe
1792	b320b2d23159f10e47d51db6efad1e4b.exe
948	b320b2d23159f10e47d51db6efad1e4b.exe
1656	b320b2d23159f10e47d51db6efad1e4b.exe
2028	b320b2d23159f10e47d51db6efad1e4b.exe
776	b320b2d23159f10e47d51db6efad1e4b.exe
1728	b320b2d23159f10e47d51db6efad1e4b.exe
1764	b320b2d23159f10e47d51db6efad1e4b.exe
904	b320b2d23159f10e47d51db6efad1e4b.exe
1108	b320b2d23159f10e47d51db6efad1e4b.exe
1528	b320b2d23159f10e47d51db6efad1e4b.exe
1980	b320b2d23159f10e47d51db6efad1e4b.exe
2028	b320b2d23159f10e47d51db6efad1e4b.exe
1472	b320b2d23159f10e47d51db6efad1e4b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b320b2d23159f10e47d51db6efad1e4b.exe

pid process

1204 b320b2d23159f10e47d51db6efad1e4b.exe

Suspicious use of WriteProcessMemory 92 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
"C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1108

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
23⤵
- Drops file in Drivers directory
PID:112

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d00130a40506f35e922cd87520705d39

SHA1
78e628bf8a2d73dc881dc2af5873ca72f49f0bf3

SHA256
e03e25781353edd32a73b57d131f71f462729118b086fcbabd036a7abe280e92

SHA512
09a5d93227c0b15ba82782b9d75a81503fb90f1aba023999687b4d5c3c632ec5b219f1abe083c116f827bade12a63d9e55670ad0c8e13a82a1acc1a2adf29f5f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f0ad812773a5da64e094701ee22ef4d2

SHA1
20b2c671ab41ee42c621b8fe31c76aafa4e514c2

SHA256
a3c6206f1e5bad6c4b17a91ac5639b594d12cdc0ed020da8d65303f841a4a4a8

SHA512
473e7812973ad8834680bbbdf2e691ae2bb0ac00ae63a66a129b57fcb157ae317b6c21d6190cc281aba7648596a7e410ecf5fe995437a4c206b9e648f05a21ef

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e9a16a9afcd8860435bf429205eac054

SHA1
4e82b02fb47ada18cfd988f172daa27c879cc5f1

SHA256
c562ffb54039d5698237e1792235106950b89384a74f1a7996c41cf805d176fc

SHA512
35d008cd4604c791b81696104b5a523dcf361f9265bba1ea40355b647e4dbf1b8a7cd51d37247e9fb5f4b0db0a39bf47e9ce5c23aadf04573020a5c8fd3799dc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e852ba34521372252a9ce767432fc05d

SHA1
e7209afdcca888aafde46096cf72cd02ed56738c

SHA256
c35cdd0aa6c8e851c4ae829358f8c046e4a741221a3347b777f517b89d58dbb7

SHA512
dd13906cdba172e5f000187b2712c4b24d26212713b2c6adeb0b490dfd5939c773958118df5642c3e1f23c008eff2ab7ac510f3bbc788949317d6a19240c11a7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a1f1eb3e18722f900724ac19abde0ef9

SHA1
ee145ef8ebac814da7263ce62b2b3959960ff994

SHA256
b0f21443c0e071466cba9ce76fdc2b4955a75097d36532c5f49fd7fa6aed72f5

SHA512
22e1b20713d659e0fe6eab177126d22e5c17e392b8773b7d7c068978d2b1b340d78eca3adbb815a3fa3138712d0602884763e2206c492744442504507b006000

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
58ae38dc8f15b948b0437b778a38c431

SHA1
cfa3eaba35a2b925d0b0be5a38b9e90657df3df0

SHA256
4cfa00ca8fd09bb9c334c0434b27a61efb809ca041eb4bb7c66fb18ab3f04562

SHA512
5782d5fe823328ae2caffe453750fc28475fa6985e0a2e244611d8f54781846b84d425521f219131e9d7f8124e8fcacb7141afdfc079ced9ce7593320adb3109

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e78750fcc5998ebbfd11852dc2f96c8f

SHA1
403333bef24cb6c081b1ad47553c49522d2b3add

SHA256
f5f89f2116e93443f90ab88ae5314e7002def9b4312b9553e7c0be72988cf630

SHA512
eda4c1d10809ba4c92361d6868cb4a359b18c5817b8e10b1c7808de8fd481c92593c9de268c83d094c4b49aead7809b14cf0742ef8d4955856842e44378dd293

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2d57e85a5fe480b11c9798656cf25cad

SHA1
e0f21779967646a95a0b3169728f4ab51482eeb4

SHA256
6109bbd0b5f668e284b49b25feb9a37b0761576080511ceead6bf270623b11a1

SHA512
c1ce1db13a58d2f5284f73ca9fac70375653a90a2ca14e9259077c92ef305e0450e438d5278ad48faec8ee34fb0abe7ec6063d6d854fbf6af41d4b9fc5831a47

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c4393e86cec92547584d16c5f54f2897

SHA1
a42c82deac75b2331f3f013fb962f51db731bdb3

SHA256
b5e07d8a8e45a4cae6dc8d8cc7f51beb28d9f90dbc1d78be1d7f48a5f6d86439

SHA512
fa4b24ad2cc5868c506d0b9a70e5d7b51afa878563a09496d0238d4f5ecbc6ae3265b37bc7577568e724ffd7fa2ee242c9f595642cf243811e1cdbc732bffa82

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8eaefbd13ab5f9afc9da47f4e0882832

SHA1
092427987eaea84e00473506b272f193be053156

SHA256
386a7da7d0cc6d5aa01b190d26b68979376cbfe00347f2dfbf6657852835e8d4

SHA512
4a4155c1665862ac0ec4505221752b53b79e511e342e4b0ed1454029ef06b3f9337470a3eb7677eebb2ed15faabb8301ef6c0bfc99868eddb019525353a0761e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
bb227b875a14e56c020963109d9b8688

SHA1
4f04445f4600072385c3d3d14cced94923bff1f7

SHA256
f172863ebffdfa16e1bce565e75f55c9d17d7bf947e3207304df43b637fb417a

SHA512
f93181ae83aaa754f94e35c9f1b1c245612494d2db1e632ced9c741aafc5f301a447292b93b2da434ecf5986ee837d5008976b97b31e16906bdc5f56a0ff07f0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
59af5d29076b1a4804e41b79a7d2d7d5

SHA1
98c1bb9e237b30ca8cbb0622caddb55c2d45227c

SHA256
ae423a60f668a03a18b0c1745179a04fae517fb45c9c37ab0e9f87ad79c4044b

SHA512
d8b2e52c461284c817f3dff33f363bc647c43782ee0d68aed935e16c672d77cd1cd14cd7f29861db8a0bf4d41133e977bb540c2b3f6aee95b99a522985ad59d2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
cb0807d90244ac8c6e9fe694a4cdf048

SHA1
cc9c05ae4fc7c41d1c2b34805d44f0581ebad7a3

SHA256
1148ada9d0f8c3c4b8b071285b2717e0bcdbfa3986f62e3d4757a03d7606cfe2

SHA512
86ced56e3068618bf85543c4fefc562f82254e6e5bf6b09d1db011371cd28103634fcb709549afce3103c639a388a59883942bd6c735510dcbf6c0edeb9f13ec

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
494b3691510491c198d6d6e06e239801

SHA1
666192f456e3ab27264bdedf42f56c6e247cdf8c

SHA256
0a5f1378eeab9343341a63c820136cf43f3ffa909d8b8a83a2aabcbc9b66876e

SHA512
b77e452cb3bbf6fa95059b018d75222f7133e5d677863cf0d163578fda6e5b9c078ba34b35ab5d68bc8addcddde826d7b3d82242628115b06f4886e5840e8c14

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d15d9e6490314cefc0e0d07350998732

SHA1
67754803a17f723dbad9eee1b26a32bee9b1afaa

SHA256
ba042cfc35cb3301c25c39fd6cf4e006b4dc6628868486c6d6d53207ede532b8

SHA512
dcac7ba0ab99466fd3f70bb078c823bb736ddc88f2f145b9740792a68427ae2b2640456f9bb3ed4d0ad7ba03f68a8340f3a1c9bd297e9ff657f4fa61a0004292

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1f10f5c92190fb036ba5cd15e23b92c3

SHA1
5d8e5142e248fe9b3725c3c7294c5c8bd5972105

SHA256
9bc81d2299e44a662a6b48f4909e25ec9c0a5e49323e27cd02a01fc561d783ee

SHA512
5d931d230fda250358f325925fc96688450b973f2e5f203756d11e812940aa31bdbc6d341c42285ca77bac55a9c36ea26d73401cecd10b52e2a233b7ebc85d45

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c88eaba2bd3fd3f4182866dd83b29659

SHA1
7c30ac66a0a51a01c80d6b56069b2f57316ef9c3

SHA256
c2c305af2a65cc957494cf2478d8fd4fa346c948765b404a8ca4fffb9e20d6ff

SHA512
83664871c0eda7875bce128423ecdd171b4227e78b4f0303156fbb7c5df51f52a5fb9025cbceb473ccbd008b7fe0ca3ba20f746899f000028ca631a3cf5cba5e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c75a6013e2abdb0a560bd08d8b2bf4c9

SHA1
74fee49d1681bd741af528ecf39e6ee9c5fc5218

SHA256
a52ee150a15460eb507af97c4d6ac77c503568f185354c13fa78b38b906c31d6

SHA512
1990dbda9df2174dff0472385de19e9a043933ea3a87f20c1c9b289547ab4f35e72ee3858cc153b82abd9327cb36c00af2da73b911576be9156aea8b93b238c8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
98acaae69d09d778b96705a38854c808

SHA1
669fea104396def1945480dece890c1460c35c1a

SHA256
495fca07825b93b60228f18abbb1a88124bcc2f9a5def19df1de4e6a2d40605f

SHA512
687a3740acaf5de5c644df956a72ef096611b5400a37a9818c94f5998ac6d8b061f45d5d875060be75f23b23311869f33d0b7e665acc57f5167efdac220975f7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7b4b3af5754e13ed90f78f722f619d3e

SHA1
1014ad58c590a597a2de83f335a1542852cbf3e9

SHA256
5f8eb91a1dd9731f4995cc51ea0b9dff42949a8ac644d119cebccd4e36896ba1

SHA512
1f0762da2af69809cce5b6d58f5c224da67b9877360b67b367459d062d10e87323bd64c5e0a2d11240bbd8673516c53e269a47b8214926f18b13cf55e7568852

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a788d00ba92ffaf2930e39511056269a

SHA1
8eb84e5ccef332cec0da68b7589d638ee5242743

SHA256
88332a200a294e5d48178fcd277004decc5934a0edd42e9cad87f5517a982e01

SHA512
6065dbf9335a1831375818253550b4dc2c03928dff89e0b3f11c042ec331931c195dea2b71a446b15fde88bc10fefde204ce1af9221c5f692796c1605efbdba3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7e457b222550d795503f6065dc9793a0

SHA1
f0c4f6d93a41afb0ad2aefb0804151ed7e054f0f

SHA256
711eb840d5642edbfcdef8f22b8446d11ad7be1eee344f362a4c0bc06b22f131

SHA512
7ef1a818dd677ae3aa9d691a3eb8d47aa72622fcc0be960864c9eaa025510b4f706f4a260864d97aaca03d5e1766b7629f9f240d57024ead3395c730d5f6a806

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7c0cd1329e13250eafb396bdc7932520

SHA1
8b61c35263fa5dc2fde6a11719b8aa5f96a64b1b

SHA256
f0823dbe90b6c931b0a208c5b6aa59263a7539bc69369992986c7f2efa145fc5

SHA512
a18c0e30e1bcc49f410c791f3a50e877905110647c185c16047761196821104bc8cb2c82d5e3c4451297b59a2e108106a3f3150174cab4a5059044f625b36777

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c795c965891a89dbc313aa4d5616f6dd

SHA1
b433ec5011116eaba895e224ae9bac533508da8c

SHA256
ba12411935b5e1347d86cc71275f615f2176efe1e881a91fd58ea20dd93845c0

SHA512
07a65261fbbe4b1235d7be389e4874aa60a5fbbea53ae9814f0c32d445189af06f33d6a0c23eeb5ddb1222c8e0c1f8be7731b507e579c5c855fd77fbe955b2d4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
205ff13726ca6991eab7c96909ede74c

SHA1
e4591fd39ffeb5590c69d89b6b70f932bb44a28a

SHA256
a4485bc55f9d93b08435def165225feda548633e0c979a9fcc14db8573c278be

SHA512
76f841cf6bf422dde6df72da5a2471a65546248f318dc7d4cb67d34fe51bb07907db0a0cabb989755055116dde47fa9336daf1779a60c470fb8a33595cbf2bec

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2bd61bf38496a55b624658feb740812e

SHA1
30d91762ee1807001986d9f2de821cd405ecd434

SHA256
3ab219cbfdd3b58979af4c42e444def89bf4c2b59047e6b57dd4a372f254e03a

SHA512
6b86f336f0fd3d3c35b470bdcd0ae8de45314df682f0c81f4ad838f4216b013339c60b19018bc5ca1934670c4e1661df65672288108ac8e11e7a664ee097efa3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e7e0347a6277a09df760375cb8d11493

SHA1
a4e7a558bcbf3c1c58cf1dc722d59f4e71a39ead

SHA256
900957a866a3b6ce4451f86861f8463042a478639402a7b48f1756ee008dc623

SHA512
1342302e85eee07fdd40fda2323aae330f782a9e2bd6105f8447c186a56033e707547d4ee59e96f2b4d72642aa5f79a4da713c6f7dbaf1b01c2cb73b47674301

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
510156ac9bb0a08d926a9f2d7273d67a

SHA1
c0210e93817bf64e596d8b7fbb16933c3c29f802

SHA256
eee233362c37b05fd559f1c00c8fbf3a1c12d925b68e8989543d7ac71b65b58f

SHA512
ee185122d2145aa5885bd2d4acc392a68c0f9d2ddcf6df3f6cad6181df214307d0e69286dff52137715df28847b6f4df2c6c408e781026338856a2e41dead994

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/112-88-0x0000000000000000-mapping.dmp

Download
memory/528-16-0x0000000000000000-mapping.dmp

Download
memory/532-8-0x0000000000000000-mapping.dmp

Download
memory/748-28-0x0000000000000000-mapping.dmp

Download
memory/776-52-0x0000000000000000-mapping.dmp

Download
memory/856-32-0x0000000000000000-mapping.dmp

Download
memory/904-64-0x0000000000000000-mapping.dmp

Download
memory/948-40-0x0000000000000000-mapping.dmp

Download
memory/1108-68-0x0000000000000000-mapping.dmp

Download
memory/1184-2-0x0000000000000000-mapping.dmp

Download
memory/1472-84-0x0000000000000000-mapping.dmp

Download
memory/1528-72-0x0000000000000000-mapping.dmp

Download
memory/1572-4-0x0000000000000000-mapping.dmp

Download
memory/1656-44-0x0000000000000000-mapping.dmp

Download
memory/1672-24-0x0000000000000000-mapping.dmp

Download
memory/1728-56-0x0000000000000000-mapping.dmp

Download
memory/1736-12-0x0000000000000000-mapping.dmp

Download
memory/1764-60-0x0000000000000000-mapping.dmp

Download
memory/1792-36-0x0000000000000000-mapping.dmp

Download
memory/1968-20-0x0000000000000000-mapping.dmp

Download
memory/1980-76-0x0000000000000000-mapping.dmp

Download
memory/2028-80-0x0000000000000000-mapping.dmp

Download
memory/2028-48-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1204 wrote to memory of 1184	1204	b320b2d23159f10e47d51db6efad1e4b.exe	reg.exe
PID 1204 wrote to memory of 1184	1204	b320b2d23159f10e47d51db6efad1e4b.exe	reg.exe
PID 1204 wrote to memory of 1184	1204	b320b2d23159f10e47d51db6efad1e4b.exe	reg.exe
PID 1204 wrote to memory of 1184	1204	b320b2d23159f10e47d51db6efad1e4b.exe	reg.exe
PID 1204 wrote to memory of 1572	1204	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1204 wrote to memory of 1572	1204	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1204 wrote to memory of 1572	1204	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1204 wrote to memory of 1572	1204	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1572 wrote to memory of 532	1572	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1572 wrote to memory of 532	1572	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1572 wrote to memory of 532	1572	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1572 wrote to memory of 532	1572	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 532 wrote to memory of 1736	532	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 532 wrote to memory of 1736	532	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 532 wrote to memory of 1736	532	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 532 wrote to memory of 1736	532	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1736 wrote to memory of 528	1736	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1736 wrote to memory of 528	1736	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1736 wrote to memory of 528	1736	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1736 wrote to memory of 528	1736	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 528 wrote to memory of 1968	528	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 528 wrote to memory of 1968	528	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 528 wrote to memory of 1968	528	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 528 wrote to memory of 1968	528	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1968 wrote to memory of 1672	1968	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1968 wrote to memory of 1672	1968	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1968 wrote to memory of 1672	1968	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1968 wrote to memory of 1672	1968	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1672 wrote to memory of 748	1672	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1672 wrote to memory of 748	1672	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1672 wrote to memory of 748	1672	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1672 wrote to memory of 748	1672	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 748 wrote to memory of 856	748	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 748 wrote to memory of 856	748	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 748 wrote to memory of 856	748	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 748 wrote to memory of 856	748	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 856 wrote to memory of 1792	856	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 856 wrote to memory of 1792	856	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 856 wrote to memory of 1792	856	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 856 wrote to memory of 1792	856	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1792 wrote to memory of 948	1792	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1792 wrote to memory of 948	1792	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1792 wrote to memory of 948	1792	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1792 wrote to memory of 948	1792	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 948 wrote to memory of 1656	948	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 948 wrote to memory of 1656	948	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 948 wrote to memory of 1656	948	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 948 wrote to memory of 1656	948	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1656 wrote to memory of 2028	1656	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1656 wrote to memory of 2028	1656	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1656 wrote to memory of 2028	1656	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1656 wrote to memory of 2028	1656	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2028 wrote to memory of 776	2028	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2028 wrote to memory of 776	2028	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2028 wrote to memory of 776	2028	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2028 wrote to memory of 776	2028	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 776 wrote to memory of 1728	776	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 776 wrote to memory of 1728	776	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 776 wrote to memory of 1728	776	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 776 wrote to memory of 1728	776	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1728 wrote to memory of 1764	1728	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1728 wrote to memory of 1764	1728	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1728 wrote to memory of 1764	1728	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1728 wrote to memory of 1764	1728	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads