e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3

Analysis

max time kernel
149s
max time network
184s
platform
windows7_x64
resource
win7v20210408
submitted
17-05-2021 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Size

148KB
MD5

5fd4f9d442a932fa1d1196383ae090e9
SHA1

3ce0f7e864bd7f34c7a6c4ac0f748de78aebac21
SHA256

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3
SHA512

4a6bd2e8d17e3036d8e232896328174cce51900d6ea269dd11c4a284f6a4f62a30f7fee4c5468e5fef457dedef37fc535ddf2f6ed09b0c38abf01dba2b2e9b4d

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Modifies system executable filetype association 2 TTPs 22 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	acprotect

Drops file in Drivers directory 46 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Loads dropped DLL 1 IoCs

Processes:

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

pid process

1832 e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\S:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\M:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\Q:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\K:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\G:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\J:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\P:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\X:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\M:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\S:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\W:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\V:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\L:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\S:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\H:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\Q:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\J:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\J:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\Q:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\O:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\U:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\M:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\G:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\U:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\G:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\K:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\P:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\S:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\Q:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\X:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\H:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\J:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\V:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\W:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\J:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\J:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\X:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\O:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\R:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\F:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\X:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\V:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\U:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\W:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Drops file in System32 directory 1 IoCs

Processes:

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

description ioc process

File created C:\Windows\SysWOW64\ftp33.dll e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ftp33.dll	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Modifies registry class 22 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pid	process
1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1524	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1728	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1328	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1088	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
764	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
772	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1688	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1984	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
916	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
384	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1456	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1912	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
900	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1496	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1328	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1712	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1900	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1908	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1608	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
600	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1300	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

pid process

1832 e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
"C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1328

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:600

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
23⤵
- Drops file in Drivers directory
PID:1416

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e2bfafe75f4581973df2e129360d3e5c

SHA1
c40af6195eaf153f0bdb5ba384f8f35546501d1e

SHA256
2801abf64177896c123341ec7990bdccd1a01e805a7841d395ef0fe7365c2a79

SHA512
2ddb47f21e15cbde93ee6518ecf76acf86f7e6e5d751c67d83579f82423c361a3c6f1436e730465a5ec0a9d6bff02ed949c69ff26cac033183a2c02fee247fb0

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1122b6796eec4fceef4b5f19e84b268d

SHA1
e84bfa4278543549aa5331483f2b4e2087aac2ac

SHA256
fcf8a76a098b8caf529ea978c91bce5e7091908efc7bb9cce29e71b7cd9b0e76

SHA512
01c839cbdbc01e3fc6f8bf6cc03885e8a6088cc9208249a05e98a0417019bde1270a892e3d3138c82a589a57fab1b1c7922969cdbd66609ee7c4713e908a5e19

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
bfc568c83acd5f4ab9f6b952dc79df78

SHA1
3daa92826a1362d1c99c33b328dc6e781d528a7b

SHA256
7c093d03adf03c843c707ba55b7987e40d153fd62a4403d3c1afab2b26eeccc7

SHA512
d2fdd50a90419d04cd2b1e00e13909f7606892722beb82a15ac372020e10728d91a4a5e2a2125ee64c8f07f364a3c4e560343898f5f7ef31d82a61fdc0f8e268

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1122b6796eec4fceef4b5f19e84b268d

SHA1
e84bfa4278543549aa5331483f2b4e2087aac2ac

SHA256
fcf8a76a098b8caf529ea978c91bce5e7091908efc7bb9cce29e71b7cd9b0e76

SHA512
01c839cbdbc01e3fc6f8bf6cc03885e8a6088cc9208249a05e98a0417019bde1270a892e3d3138c82a589a57fab1b1c7922969cdbd66609ee7c4713e908a5e19

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
ef9237c86da77ed4de1be97d5a280999

SHA1
79603f66a1476f6bcad2366be9133adc6eeb4104

SHA256
4fb7b30f300704d0e49868bcb8b261e9adf2f54339aeb1615d8fe137d26f8050

SHA512
ed5a93b8faa42d1f8bd07f6d15bda568034d0bc1289d1706fb0f5832a65781438ed79000a805016daa827d7ab92143952dbc5f856075e6ef0c4bdadd36a3f746

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1122b6796eec4fceef4b5f19e84b268d

SHA1
e84bfa4278543549aa5331483f2b4e2087aac2ac

SHA256
fcf8a76a098b8caf529ea978c91bce5e7091908efc7bb9cce29e71b7cd9b0e76

SHA512
01c839cbdbc01e3fc6f8bf6cc03885e8a6088cc9208249a05e98a0417019bde1270a892e3d3138c82a589a57fab1b1c7922969cdbd66609ee7c4713e908a5e19

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0e04472c78f404129d097e53a0e78b3e

SHA1
ee57791df0e60e895740fa1371dc1f85ee247428

SHA256
98a6b2739bd3378b8c000bfc92e5fb71f5db1cd4d4f513a106c19d26f48cfdc2

SHA512
61b1bc00c56b4922deb61c18995e336e08e139b493103cb5ddce934a3779280eef30bba9cb0c8cb9767754486018475880161c78fe6aa3e01a824e33b7ab7110

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1122b6796eec4fceef4b5f19e84b268d

SHA1
e84bfa4278543549aa5331483f2b4e2087aac2ac

SHA256
fcf8a76a098b8caf529ea978c91bce5e7091908efc7bb9cce29e71b7cd9b0e76

SHA512
01c839cbdbc01e3fc6f8bf6cc03885e8a6088cc9208249a05e98a0417019bde1270a892e3d3138c82a589a57fab1b1c7922969cdbd66609ee7c4713e908a5e19

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
9c1f62fb2e8e2e575259e236eae414f8

SHA1
22c90db9f1d5e2ba6b29c4ec7b7ea527fa29c7ab

SHA256
b55cc97f97a31db02994c47e6dd5bd8a283b0006db73ee2346caa05ea2881164

SHA512
74728e42de6b674c6d2371be8047f4d8ddab1f11a7bdc406ac278f55b7b7092b6586ec0f7a85159d8f1dd8298358d95bfe4c6ccc9b19a216b9aa984080bf2acd

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1122b6796eec4fceef4b5f19e84b268d

SHA1
e84bfa4278543549aa5331483f2b4e2087aac2ac

SHA256
fcf8a76a098b8caf529ea978c91bce5e7091908efc7bb9cce29e71b7cd9b0e76

SHA512
01c839cbdbc01e3fc6f8bf6cc03885e8a6088cc9208249a05e98a0417019bde1270a892e3d3138c82a589a57fab1b1c7922969cdbd66609ee7c4713e908a5e19

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
16a55843499d2defcf69ddc1b7965379

SHA1
373a365d787df9d75c81fa9a907fb2247064b577

SHA256
8ad5ff0e0da0347db6875a44cd6a2d7b801164a77345bbb28560bc8ef4763f47

SHA512
34079f203763d6781d27259a48600b752238726dbec946f3c93f700c3333025f90f2507b8a907c33e636ca91f951fd557cc578c79ff54746bfbebb4d4a4b8776

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
207f7d7c0c4cfa4f4ab1710d8551af22

SHA1
872bab775dc803b0955c269ebaf8e988b7bd14f3

SHA256
a256e5098bfe6ed8a5d0d00120dec68b997f2c8baa81f28dfaceb6d913cec0c8

SHA512
c394679a0f9d6cc0437c4dba07e053da81d96a1310c29b7c0f84aff5d98658f21973b263b1d8b75055f3d2a220b825d9593ca444b270fcfc51d065b21fa8ef4a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1385391151c4c91ef9ab26d719132e75

SHA1
c24514b8b0882f5a8e69815e4b5a11fa2a560454

SHA256
7c612396c692322002e7e6412c4b428e44e7d6daa93a5d6e53e906cb5c3c2a8c

SHA512
a4d8d9be3ec3d4b3a69a5ab79d39c39ee5ff283fac98364e0d31196c4431ba4079a25de149d99c0c84c34d6e1b753581f296cdb7d2fac1c2747b57f93682f75c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1122b6796eec4fceef4b5f19e84b268d

SHA1
e84bfa4278543549aa5331483f2b4e2087aac2ac

SHA256
fcf8a76a098b8caf529ea978c91bce5e7091908efc7bb9cce29e71b7cd9b0e76

SHA512
01c839cbdbc01e3fc6f8bf6cc03885e8a6088cc9208249a05e98a0417019bde1270a892e3d3138c82a589a57fab1b1c7922969cdbd66609ee7c4713e908a5e19

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b14132df35ac43f5fe5f97364fe075b1

SHA1
c6b69625721421c8514d825fb1fdf9c107a923c9

SHA256
051dda663234d4fc151632de4fb3a9e5fb99dca2e59cdba32f2fa5d283b03629

SHA512
5949e6a4c95b72181f802cc0b9fc2702f208e593cabf69fc3d98a9abfd12f35b31e9af0e2e4f169a843012932ed8acbc030c1e8ca5d3e6bd89e5e20d9927c927

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1122b6796eec4fceef4b5f19e84b268d

SHA1
e84bfa4278543549aa5331483f2b4e2087aac2ac

SHA256
fcf8a76a098b8caf529ea978c91bce5e7091908efc7bb9cce29e71b7cd9b0e76

SHA512
01c839cbdbc01e3fc6f8bf6cc03885e8a6088cc9208249a05e98a0417019bde1270a892e3d3138c82a589a57fab1b1c7922969cdbd66609ee7c4713e908a5e19

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fac814ac2f6132f066752433d8e6d6e4

SHA1
70906a9b44fbd1ef22197048d105ff4dc2beaee9

SHA256
88d942095bf3ff0adf3120d93bc82eb4921d3868555cdf2d685e780d2cad9ef3

SHA512
2e8fbf149e96487a5bea7fdc2f441e4ae706c00cb9459aab1847302733b305dcb7f9f4de9d2b6f907e8d0b7d7e51841c7adef0656dedb3042f3804ae4708e4ef

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6b804528678caa4e40cd7c81ed7a1b2e

SHA1
0d738b7a2180cc94502ba9d4898f9f26cb2a86d3

SHA256
ff789b1ad870d8dc58bf01819a44ec7e9f543e08714faeec215f4a89315ad736

SHA512
4fb801b73d3fa8ff1dfeebc502533612efd198de5ad467968fa5c73555cbbb88bcadffb3ad72b7a3868e1b5e4f3cd19682eea7f5347ce289dc7560d287d272fc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
8354a4a3ea4a5498aa82afdede33e8fb

SHA1
fb662b10fe743c6a8ab48471e242a8c9bf6bb722

SHA256
e7c8109a6e313482d7e337ee92e60aabc07988843f5889c5c6f4f452460fe7fd

SHA512
166b4c2bebcd54bdee241799718db448d92c81db91ee1638fb89689fa560d93b2efa3056c10afa74db4366d014db1a2b7f97748cd23600857c6555b93c6fff36

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1122b6796eec4fceef4b5f19e84b268d

SHA1
e84bfa4278543549aa5331483f2b4e2087aac2ac

SHA256
fcf8a76a098b8caf529ea978c91bce5e7091908efc7bb9cce29e71b7cd9b0e76

SHA512
01c839cbdbc01e3fc6f8bf6cc03885e8a6088cc9208249a05e98a0417019bde1270a892e3d3138c82a589a57fab1b1c7922969cdbd66609ee7c4713e908a5e19

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a2aae3f70f0f11cd00112510aafeae53

SHA1
b68401a824803c1c09c9e8e615985a052c995545

SHA256
7c831498a8cf462496399d88c2bc48cb41915ff123dd263f6fcff26c7c61d7fb

SHA512
11cc77d7927f98d9fa5562bd6917680e4c280b01332e1128f4a6528b1fb6f1ee0a2a69e47107a0e4c825e6206a068337660448d284a22ee81493dc45a0201406

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9dd16a263f1a9579979d2dbd1229d19e

SHA1
658cb43a36cf3f3fa84fdaceb8c97b6b1738e591

SHA256
06168b9b645ba59bcf6fc816a9ed77a7d9003c1bbd3c8fb23aeb3069772ddcc5

SHA512
34f5aea18cd3a4f6b6f9020e091b6676e1321bb6dfb72f131c45b698690e239eb6e291a52c16dae7d15fe43cd0e049e8631b588758a8ad8e5591014ebb6b55be

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1122b6796eec4fceef4b5f19e84b268d

SHA1
e84bfa4278543549aa5331483f2b4e2087aac2ac

SHA256
fcf8a76a098b8caf529ea978c91bce5e7091908efc7bb9cce29e71b7cd9b0e76

SHA512
01c839cbdbc01e3fc6f8bf6cc03885e8a6088cc9208249a05e98a0417019bde1270a892e3d3138c82a589a57fab1b1c7922969cdbd66609ee7c4713e908a5e19

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1faefbe69ef21e9f4c62d1b4c9011854

SHA1
3826574ee1b37db482c99d65315cf28a02cc0b71

SHA256
274816bfa0cb741a0639641d93bf06c4e0b817b86ebd97648c3fe12a45c06e33

SHA512
90de0cb1a6230e147fa75b8919b634038fe838f473c1f59604972af9bdbfa59dcf5042b41ba2df370465554261a195af9e933cd973368458b0e7fbc6cc5d69b0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
104e5f5cdaecc07112475bc6843da3df

SHA1
4cef4a0a44c1b26f612145aa8e472ab22da9c575

SHA256
0e2e93cea35b853b5c7899ea6ca2101eda474b016b53287bd9c63ed57f9d0267

SHA512
a3ad91b49816dee974bb6c6723a5e2eb61a7adb9ac10ed7812086e96ad0fda179db8a04deef2f0ddc6627c09868bf062608a6be1cbdfc4d97bfd8ef8f89f7453

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
76bc10ea16183a509bba4dd90ac47127

SHA1
a6dc2256ec94eaa661b1dd57c054d78b41a5b8b1

SHA256
2092d8e7a42e495609eea79de87eed28273c03b5dbf1ed258fb4dcae71e1f0b4

SHA512
20b761d8d71f29077aa6159f2d24ebabd902162426970fee36a84fee4b5c5217577a714e4737798082aeed3257fe3ddbd864ece137d029df3bc8e788cfb3e4c2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
34e1c3748878efe6aaca7c7b6d273b59

SHA1
59875a295ac82c1c928c82ce513db60001748480

SHA256
132935c3ec13bf9f3b53e2993bc45fc5e7cfc553e63e5450f5c54c6a274b1e60

SHA512
cf76bc8e2b008ef27dddbedef372f2cf45c7f9af3b7237737496da6f696e9ada214fcd9abf3a41a95e86120834ee43e9c9447ef57c25b3d0987e766850f70353

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5fab2507c6dafa823b3f834a3fa257a2

SHA1
4b4e72bdbf967d6e033bf455c516733c93f0d14a

SHA256
4acd0ea6550c1cde8aae5260a1525c569cb8d612d3de84f630b9881d1ee79311

SHA512
f80cb4453ddcfcca8f0ce06e735bb0e6b2bc97d96101dc22e0d652fcb9f9e7e91428ab1b872855a140ef1479a0561d8e2d31ee2adf13b2c8652e19621c16a139

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e3fcfcc138e45a8c187c69380d418a0e

SHA1
9a713f4b1c86e82ea87a7be1618ec4a8009eb6f5

SHA256
5917da9a438d31123320806f8a0e57cc6ac6e409ed502dbb0cc18ce1c629aa68

SHA512
e5e7b1a64385be6a675731566b9a9a1bb22b64b78a61702614ed80cf7bed3fb9ce5c051c208af1bca88a3ee00f4613b06ae9dcc9352bee85005e7ab5997c25d5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
aeba4a0239b639add4f2d705fdd02e84

SHA1
533f6ae756670994a4a0c631b1f09661d8fb410a

SHA256
411af030fa7e8558717ffdb99205ae4aba5bfad832168490ac5bda22328e2ff2

SHA512
b9df2603d23a2422d5c6485441b74af305d5eb481805f6db0ebfe618a71acf303d4bc1dbe7fd49852dda8742d4df206fe1ef15072023138615e9df1ec8dcc940

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
37ec20aa37f006dea3a319912512ff7e

SHA1
12231e2c519f87ebfa3c925ca7826b88b5b5ba04

SHA256
b80fe5f8b253b5bbbb1c87291c494d782860b81915c7f9426b863e48f9f4f99c

SHA512
7efa481a32ec7abf2d44dc5681cb1fa3f51befbb06b751ef3794e6fc1f23be9486fdcff2728dd4bf6fc308346dc5fe2fc63ad6934c8c57702d56136c305923c6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1a6619cb6a1b9714450f33daf671bcf0

SHA1
7f69f42d2896e7f923c199f3968ca365213cf3cd

SHA256
d1926764bee59736a90f708006ed9a108ecd66056b3e41dbab1428942b8ceef9

SHA512
caa203015495b7e4669465ea9d57d725f29518a7e53a49d85891dfaf1fd99be1725b1776ae7704938b2caf0f16e7ca801ee62da395c3858bd532fc2df7fd0b28

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7a5b8913f3f5fe045cb815d0c0c77334

SHA1
c0f2d6f57e74527e9443fa764e80391fc12776d2

SHA256
dc2759c31165856e7ff6313f1d4815b9090759b3986be065171045d40a33460c

SHA512
05b5609a64f21378e29551f88925b85e9fdc30ffd0f979506d4c8ac6bc1605de949b0332049c16853868ffd73bbb82e03e8dacaaa51592f69323449ef136d97c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d4a5b3bd1a6e3cdbf016a0c194f7fea4

SHA1
261adf0a9ef9b2007824229dd153acb6e4e8ab04

SHA256
a17e51031f34c2be88885f9795236a22afa79828b71ea293d34b00aa62fb965a

SHA512
a6a58971bb2251ce9bbd23b13ab0f0e10e66261c7d90b43703dd31b3b43f06fbd2cfd21882ba276dada2331f9d170cab7b20534388c1b7e55ab81b306927b9a1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2981b8400dbccb9025e8d85e3025d6a0

SHA1
f6e2b7783e045bac29c46c42982a7d544678cb18

SHA256
563e2bd9f4dd81885582a3e02ff75246416d649d5c88614dc49b59fe3d4a8d71

SHA512
ee7c5c3581a597561a5b2fa6619f2889f3d2ce6b310ff4156b0f31690407159be08044e07faa9a26a280895ba186e6efc60553049e1b88ee1794810c3f497782

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8a1657121686576e40a307f140ac4c5a

SHA1
418020a8f2ca6b07d1764e6d0995be8d9056ee26

SHA256
d79b6676983145f64eb83e221c97470c7eda1ed5a1e9b3d7d3c0e0e6dc458799

SHA512
4703b08e5f862071e9bc3d16043bc7772812c465818ccff9668521477654a1a6ef07f15f462f836c6805a2a1fd2541b9977e5b91e068b7e3c57cf6796e170fec

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b11ff54f99f12fc032d248b218ba67bc

SHA1
e598f3eab10f020b95088ad972cbae0786634915

SHA256
0969884f3bc45e8c3867406b68ff0b3cbfd73218c51333c053f68c9216061012

SHA512
6f98d666cc41ffe4c44a8fe2f470f9c1eebef53e3678ba75a59f2fdcd5375485a85d31dd49ac3a1ec8fb9bb184e4588ad8168a82f358b411960dc539ae12b1fa

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
24df2b57af1dca8285b1c6be4d04e505

SHA1
2a16f353306d5c0fa2a8812a470664395a4e0820

SHA256
49239165ac02cdb7fbc69c77cc6e9e0e653b1b8375f2abbf93d49224329d8d3d

SHA512
63701dd0580d880bb81467bc22d44e0db6f8097bc92a3eac5b0327f5af4bd81b8a662b97f16da8cc37dbd2194f32624b556b34cd738ddf0ad0fc3b07fe14b79d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
255041be996dce12fec74b2eb5d53c96

SHA1
9f51747ca60ff40d97be005a9e53c9adc85c6061

SHA256
1f703cfc7f3777797e3ec1c7003e5c242428e9419a49a788c0c687b7c1bcdaa5

SHA512
f5a8ecd1a7dcf8b9251d257216dde50a8b8e6a8e0fcc6a7f7e6c809b8a83d85e22618b542951e151adc9f31e9eb8420a64bbcc154b808e4fbd62dcc0032b4a6d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3120c825cfa3aaca571ac59e03f6729d

SHA1
b202d7e497d8c995ab97d23af8e75179104b7caf

SHA256
6f78995f3666ba9340f5032dfaef4e37b894d5f676a18df0475e3b5abea4092a

SHA512
34f1f7debbc71b2d6a83efd9d1bf53e02a7ac36b43053957e996f5116b2aba5e5bab2ec91d5d410ad3ffb06114f990f1db4a07f862517e63d46b9cab12781fdd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b3472c34e4faf34b81bc5fc705960530

SHA1
12f6027087bde9a28948f84191a5d3f5993f93e9

SHA256
e49633b67294f30ee4942eb22f11d03c9ea80b1c07e15dd69d07f33b06f3656c

SHA512
a1792861a4b98d635721600733cba83e4b6995b58dbd56b7b195a6cef130c49248e9f7ab74b358a006e67916a7011fde154acefb6845a438eda4dbf43ffaa855

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e7641604b321a5d0a9227effcacb641c

SHA1
6fe6cd2241c946415f5b0b7196afdedb391fadd3

SHA256
24eb66fdc82baec7ddeab86212f81f214a10a4f533fbebcb785f2644f18e2223

SHA512
9b389fcb0fc1aca6725a56bf6e71d27132fd537927c34e6f840a3b2c53afcc1cc9c93116add7f716f1aa1ed5c18bee2898215a4b9ca21c5c80bf11e7618a5185

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/384-108-0x0000000000000000-mapping.dmp

Download
memory/600-158-0x0000000000000000-mapping.dmp

Download
memory/764-83-0x0000000000000000-mapping.dmp

Download
memory/772-88-0x0000000000000000-mapping.dmp

Download
memory/900-123-0x0000000000000000-mapping.dmp

Download
memory/916-103-0x0000000000000000-mapping.dmp

Download
memory/1088-78-0x0000000000000000-mapping.dmp

Download
memory/1300-163-0x0000000000000000-mapping.dmp

Download
memory/1328-73-0x0000000000000000-mapping.dmp

Download
memory/1328-133-0x0000000000000000-mapping.dmp

Download
memory/1416-168-0x0000000000000000-mapping.dmp

Download
memory/1456-113-0x0000000000000000-mapping.dmp

Download
memory/1496-128-0x0000000000000000-mapping.dmp

Download
memory/1524-63-0x0000000000000000-mapping.dmp

Download
memory/1608-153-0x0000000000000000-mapping.dmp

Download
memory/1688-93-0x0000000000000000-mapping.dmp

Download
memory/1712-138-0x0000000000000000-mapping.dmp

Download
memory/1728-68-0x0000000000000000-mapping.dmp

Download
memory/1832-61-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1900-143-0x0000000000000000-mapping.dmp

Download
memory/1908-148-0x0000000000000000-mapping.dmp

Download
memory/1912-118-0x0000000000000000-mapping.dmp

Download
memory/1984-98-0x0000000000000000-mapping.dmp

Download
memory/1988-60-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1832 wrote to memory of 1988	1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	reg.exe
PID 1832 wrote to memory of 1988	1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	reg.exe
PID 1832 wrote to memory of 1988	1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	reg.exe
PID 1832 wrote to memory of 1988	1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	reg.exe
PID 1832 wrote to memory of 1524	1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1832 wrote to memory of 1524	1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1832 wrote to memory of 1524	1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1832 wrote to memory of 1524	1832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1524 wrote to memory of 1728	1524	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1524 wrote to memory of 1728	1524	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1524 wrote to memory of 1728	1524	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1524 wrote to memory of 1728	1524	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1728 wrote to memory of 1328	1728	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1728 wrote to memory of 1328	1728	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1728 wrote to memory of 1328	1728	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1728 wrote to memory of 1328	1728	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1328 wrote to memory of 1088	1328	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1328 wrote to memory of 1088	1328	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1328 wrote to memory of 1088	1328	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1328 wrote to memory of 1088	1328	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1088 wrote to memory of 764	1088	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1088 wrote to memory of 764	1088	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1088 wrote to memory of 764	1088	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1088 wrote to memory of 764	1088	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 764 wrote to memory of 772	764	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 764 wrote to memory of 772	764	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 764 wrote to memory of 772	764	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 764 wrote to memory of 772	764	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 772 wrote to memory of 1688	772	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 772 wrote to memory of 1688	772	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 772 wrote to memory of 1688	772	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 772 wrote to memory of 1688	772	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1688 wrote to memory of 1984	1688	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1688 wrote to memory of 1984	1688	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1688 wrote to memory of 1984	1688	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1688 wrote to memory of 1984	1688	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1984 wrote to memory of 916	1984	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1984 wrote to memory of 916	1984	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1984 wrote to memory of 916	1984	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1984 wrote to memory of 916	1984	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 916 wrote to memory of 384	916	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 916 wrote to memory of 384	916	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 916 wrote to memory of 384	916	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 916 wrote to memory of 384	916	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 384 wrote to memory of 1456	384	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 384 wrote to memory of 1456	384	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 384 wrote to memory of 1456	384	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 384 wrote to memory of 1456	384	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1456 wrote to memory of 1912	1456	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1456 wrote to memory of 1912	1456	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1456 wrote to memory of 1912	1456	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1456 wrote to memory of 1912	1456	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1912 wrote to memory of 900	1912	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1912 wrote to memory of 900	1912	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1912 wrote to memory of 900	1912	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1912 wrote to memory of 900	1912	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 900 wrote to memory of 1496	900	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 900 wrote to memory of 1496	900	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 900 wrote to memory of 1496	900	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 900 wrote to memory of 1496	900	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1496 wrote to memory of 1328	1496	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1496 wrote to memory of 1328	1496	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1496 wrote to memory of 1328	1496	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1496 wrote to memory of 1328	1496	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads