1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7v20210410
submitted
17-05-2021 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Size

517KB
MD5

30f6be4f83317da5c73cccfd277e7dfa
SHA1

f42abf23107f541e5b3ab8414d16c1a42051fa77
SHA256

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964
SHA512

755f113061dd4d7fae0e0ac05a779e622073edb316ebc960bb590e48de23debaee566b19ad658104c23fa7b9af1df57c26556c5c3ccde8357e288220174a6300

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Modifies system executable filetype association 2 TTPs 23 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Drops file in Drivers directory 46 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\O:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\N:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\Q:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\F:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\I:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\U:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\Q:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\X:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\J:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\R:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\R:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\U:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\Q:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\T:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\F:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\W:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\I:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\G:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\S:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\O:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\E:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\U:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\H:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\W:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\O:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\O:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\N:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\K:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\T:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\J:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\E:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\I:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\J:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\S:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\I:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\X:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\S:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\Q:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\G:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\J:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\S:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\K:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\S:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\V:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\G:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Modifies registry class 23 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pid	process
1748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1576	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1512	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1624	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1256	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
288	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1564	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
912	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1112	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
436	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1612	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1128	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
652	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1576	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1504	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1800	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1596	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
332	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1156	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
"C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  PID:848
- C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
  C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
  2⤵
  - Modifies system executable filetype association
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
    C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
    3⤵
    - Modifies system executable filetype association
    - Drops file in Drivers directory
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
      C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
      4⤵
      Modifies system executable filetype association
      Drops file in Drivers directory
      Adds Run key to start application
      Enumerates connected drives
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        5⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        6⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        7⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        8⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        9⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        10⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        11⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        12⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        13⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        14⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        15⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        16⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        17⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        18⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        19⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        20⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        21⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        22⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        
        C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
        23⤵
        Modifies system executable filetype association
        Drops file in Drivers directory
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
cbd695ba09efbee59e7ea561a07e56eb

SHA1
4c7d283c47e53e47c6eed3aa00b264295b282b31

SHA256
48632b69ed40990696dcc06a8583024ac7425549ac46c5e20e400538ca09398d

SHA512
219031263918946d3b544688771b67ca19fc0d3ce57eedf55a669e608b8505ae60a4a433c359aeb9d26bf6d9259be62bc25d2fda796c238705fae3782006d34d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
31538fd54397fccf44b4949b553f751b

SHA1
d76c9c69482b0ef6c0fd4dbf5cd2225a9896d7fa

SHA256
adea05f196f1fefb9dec1d25c9cefc8a46f023fa0c0331ddecb3f576f76ac3b9

SHA512
2c8244b801e607623eb1e4cf18eed36669421a6c9daf2266d8640749e95128dd308a05d2cebaa114f536336425d537d600c059309aa5ce7c5d2553254d41e8ec

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
153a09fc46613da69165914fedb9e4dd

SHA1
4e0c50216645f76380589da375c928786c5404d7

SHA256
9995e8a0d1cffc3abf44a738708f983d678767ed63a4bc01e4053dec59c8d7ce

SHA512
9b2601f9dc5c70e1d03e96d3c62e6bec8a7e0adbe446b78ae11cbff86d5d3fd745b87ed5bab866872cded7be0830865be671b6d21b79178bfffff048ec8396af

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
0db501b65a2b76398ea519d2c32c6623

SHA1
8e510bd77fd23938702b1f39d200a359a3511cfd

SHA256
f9476a07f27f2fa4ca2953c26e5eac6d267db231fcdeb1dbd07786d93bfc4bb3

SHA512
c4a93c58d4280a078cde538d53d51843f5bb59d509d166c4078c22d1fec15e8f3f624d268ba97e33149e3b6f31a361645e6370a9f17e5d6b9c31780ba3e01833

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
d65bbffda204fc455bc9a005ceb6bf17

SHA1
622759446a6d52f095c82210475170944a36412f

SHA256
e819619452e9d04e276cc34974b3dcd5236a1b73e130624f831a8c1477ec0b6b

SHA512
5f9ff9f13ff2538b9515bcf414389f4e9b579e97fd22630f3003d3d76bdaac05d023378dc91a411cbdd99dfcac41c20652d9208d596443213eacc1d13db0f5a6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
0cc0eb9c88a4c53e5aa359c1d7615ba0

SHA1
01a9ba6002f4c7b04987342f4dcafb6fffb3b913

SHA256
2ff9d3b5f1c3487cde952229959bb5e4556a40bbecc421aa1e9cd02de4eb3ef7

SHA512
2c27f8cb10f2997e4ea937cc3b671228035146df8f153a8497bb4fe90c6a9199b15e974dd37ada882afa14a4a25271a2609748b4be5ba5f73ac8dc36f0e75183

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
ac61047edb1559bbbdca2a4de5e928dc

SHA1
5a6bb27dcd569772c82c7894c9e73d2fa583d18c

SHA256
75d6d2c06b04301c1e6b283df540fb439cc92a4f1671047dc66fb2e6000743ae

SHA512
f921433591b48d47fba96d1094ef10b29660852af38974fa22530b8be87db0757aaa978cfaf4f0684804a57748490a3ded9e63d9563224d6907c0131be4bc6af

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
8f378468d12d6e74d5b61bae4451c360

SHA1
497ead723cfe3ab3e2018a24e01ba09a71737fdb

SHA256
1e1ef62544ac5693adea0041a6f1cdb483b478244649e2cfe1ac2def39791c74

SHA512
ea7ec7e6fffd3fdd5ae30fe61e04bfbaf8a4c9e61ce65e4f76cc57f444edc4fe9de9591ae05a2894573c788f62df2c6a8a25fa32598cf038dff20b52d7558c92

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
e7f47554a477e444d9e99ea3e3ac3fbd

SHA1
cea5b84b18ce6dbeb980866d8d0a8ba4c0323f80

SHA256
3e2e97a8bacf0ac001f6bbd586e533831579e4120cd3f1acf301db3512465ba1

SHA512
0cf219e3f4a6045e49a2d69973a11c2658ea03c3864b0f93c091fb95251418177b69631c52a408f70c2a4cc6a5f2620cbbebcea2e52a7846d094738ce7d642ef

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
66860b25895ef198ee0d2fa99d29b9ce

SHA1
1ee7a67f692fd6d0cf785f1e14c1a36b78a4e003

SHA256
fcd80685d338802ef7942af24d135e00f9f7a2f13b3806aa94043eef6fd4c3bc

SHA512
b49c3f7ae70541cde14948da0580076968034f165e10740cae55c128fdf18f251cdc4309c46796f50ad3411e3021e8c607225fe034417b71400f7a4624725a69

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
1fddfb4ed1fe11b92cdc396f01fbc3d2

SHA1
cf111f3a5112e4c62ba8f1eb251873833334f8ed

SHA256
d60a3f37dae5d493bcb5d72ac23aa5912ad83513eb3b1b7074c0c66f0c4b1469

SHA512
4e0471a8331ee8d19b1a952ca6425e39a08e4873dc250dd3ea6e02de7f575fd55542a255758b34da7b41ec4ce30f9d3970f341fabf762b9fab6417d71ee28710

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
0b0673ceea6e8a817cedca17eec4c83c

SHA1
8984e7a7ff03db81837f6fda2737e9b80a7bc8cd

SHA256
390eb67af91fc74c1c7d77495548cc960889875e15d0f34ad0b8518d13093a21

SHA512
1ee42df6ca66a03d184eeee5914ad822976ac34aac81b8867695f40f0c1abaf6a41c5f1384d7a3de71aef1f67867dc965b7e501e39a0fb872ed38fa30533c191

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
79fdfdb363deda1ae185d9c8404a1547

SHA1
15b6916969a5bdd1880916e1e823a554895fc98a

SHA256
18ade16a94b8dfef807e14dba67712c8e11dc5d6e53947b893381a66e06ee1a3

SHA512
602e885fce2ec33212fdc3f2de5b427d3236f851d9553af4d7f00abaf7064c6e1cf95f9a6dcaac1fb25fe3b3dad75ae64fd9165f1975135169cde06881d7fb2f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
7c4874ed8a5a803aeae9112d12ced4b4

SHA1
0041b0bf8c180d871901792d7f2c2f358680b840

SHA256
f0745cf12045d341d3ca5a506df2207429a356898cd7be1f46c1280ddad1ef2a

SHA512
8ae6084f2b0c10c3343ff081da88e639557f4d23ce2f293541cd5518ff684e61e184b67684a0f9b7f8f36af44a6f5395f097662e81da1fd6ac82e20119006810

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
036aad4b99992f47c47693f43fc6d698

SHA1
1f886e99376fdd0ea732dc0abb98008e58c15284

SHA256
07e70a2fd3d927ef387a1e748382ed3cc859bcc1b0cca332174a1574d4ad475a

SHA512
3f4ee89e3fbe578c9dd8730f3191f084ae0c7d556415cbc564b49c570aeafb53c975dafe79fffdccb1ac2c77fc99197d21411950833dc504615dde5c2ee1ffdd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
a27479f8b45619bd9aacd42d69cb7d3a

SHA1
fde0c3824d9823fd5022be215577c346ecb046d6

SHA256
6f9476272fbfe4c968ed20d34ffae7237e6c80e2128673fbedd39ae783fe54e4

SHA512
630fa11c84baf0795e179466fabb45ac31349c1ea1f72208498dbc8143871a42e7630ef721c2a34e54656a57502ac5fabf3270f651faaf2f205f6224b4f466fd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
32f370772164986580423082c2d58ac2

SHA1
1d063e6a92505af7a2154f9b3ad2e219e253105f

SHA256
8f58e3f7bee9fd9aee96ab93227db761e8643496c388b5abf2b9aeff0ae349be

SHA512
849dfa19190dcc63b0ccb94ac5fc36f2b9b73625d5708bc9e2181c9e12ee6357a16cc5b12b4c58186fb9c7e8ace1ac5813fe50cbbedeb7666e115c9cf50e8926

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
c8db7f1843246ae0e0a10cc88cadfa59

SHA1
1eef8ab4589dfd6bf6f34f7ff51e9daa16f56e25

SHA256
3311e7377cbc7c1cdcba0af483ea4fcadabda363bbec1a7a4c40b0debe922e2d

SHA512
2f442cc4c9cf66d56425a87cd10e19fd9a289e11bec7ed3a59b23dfd18c8531d37dae18c653ceea36cdd4baca8049d092a8e790468e2ac609a38dd65109b6d09

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
bf9eb6eb63b6d5acb53aaec306e71a0c

SHA1
31cc375dca3f63dd06bec0c0da687170842e64d4

SHA256
fed73df54ca94cc410fee4954a2d1a05b5d19e171a99ea389cc12faac0b49c06

SHA512
7de05052227ded9e222ada4c53009ebce4d7130b102d5da935d8ecb46972c0307e6798d684e0aee5db3fbde7bc789a55d3b08f2f5ac9d5b9a121e8593cbc7c5e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
2c1eccbabd44d781731ce1d8d2e3d09e

SHA1
5d2831e196eb404f25299251a64438fb680be501

SHA256
45237f598d6e4028b00552f1c4f543a78e4582d9cae5b878f4208241fbae50ee

SHA512
161eda0dcca1482289bb413213ebb3bc354438d51104a4b6391de2bcfa1139bcbe4a71ea213bf797b2dbc26022a9694aed879d9c21b0c0e0d08bfa90961a04a9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
2e738f11c5d3cd4e7069b9cb131aaee0

SHA1
d51048ab6f015130acca9a68ed12b165fd637fa1

SHA256
87ad7676cf48131447af79b95f2500f40e0c068372ac7c63cd2f9f5e34b68987

SHA512
f52e9c46beb9ff15aa8d0b08ed2d0a343012f71fdd60d051751fa7ce0883f52e4eb39a67c7d6a78b31fadec26e9b39ac49ab425c01d9367aef3de43c6408628d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
f96b2ed3aa9057086260fdaa1a32fec7

SHA1
e9e8e19662c5d667cb1469b609ae7253bb50ea51

SHA256
c92390b70f8ee2d3580c7d328bb86f021645256c57fcd7fd92b5aa5fbcf1ec44

SHA512
8c362b7cb1e9bfbfb92260bdfc3fc35a4d9a34f34bb166ce8ac58352a2045623b57fa09514cf07b599d6c75fe637850647fd29fde01f330107a1bc1cd90bf969

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
34c4e90427087f8dd236ac2b5ca4af4c

SHA1
c873e6c0ac9836a35e9027a8851dfb51ffe5a543

SHA256
7eba29e480effc8eafa21f8384bf7f3ec35111f32f73a461f5ee8bde6751707c

SHA512
dc42b4eb407c1fd54e7704dad4a11953e0843ad5b77c23f547a1d8b4d371b8052d27fc7c872dc2dcb76bfe31c6cbaacbbd9ed8426a1bbd31aba38a4e450cb00d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
5d37838180f3871633e2312ad45f39c6

SHA1
a33ff567084be9f8309b7a206b63c2ee74e7087c

SHA256
70dc3eedc1122cc4dbecdf02608b58ca53e22d937584041971cbe40f22d59ba7

SHA512
ce32ba4611af0f3f76ae6c47fab83d83154aa5a10b5d19ac668f164d3304e0b769a91a80db32d48b191057a0f192ac731ce064831aadad5d7a0b289522165a0b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
8a104cb6a674e9958c29ac2e76841800

SHA1
787d69444186a23c92b21de5ad161fe005ccebd9

SHA256
e04727bb5b2266d027408a51608d2434128231656179396a3a41ccc863b5f5c9

SHA512
819fab757242b57ad20181d39591d11c7d3987232c287ed6410202e2afe8689318657a297ddff360ec3ba66b629b955ecf1f2b18254a727a6508a73c7cb63505

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
c93cd552e9a91b03337387a2450cb8c1

SHA1
18f814ebb8806071764d67974beb181ab9ebd464

SHA256
1102f220b961bb97263d1f66c70bc7f9dc23bbdb6352bc5275d2cb8d12e025e4

SHA512
24f6362803aeff8348de4e2ce0a6d23d5fca7d09529f09571b31e59daa8cd5a2ecef88353635c34f67e4a4dfcf3f580281a144e3ed02f0c02998728cc609c313

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
80d0b05e6ce05a5cbbf89e15c5257bea

SHA1
069c80033efd82a64be9374f6568ca8756ff218c

SHA256
e86f3a5d2801620ee0ad3e1fb3add29f06d90953d33685dcf0a8997a23aae5c0

SHA512
9f99556e6838701d440ba1e2500fa25d5754537819c339753f679b9a0648b4683082ffee76cb54a3c45b2898111b120a340db759083898b6577e5a572b21684a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
fb7e0d4c782f840883609c78f2916f9d

SHA1
b73e1b9aeeee1479b0ed2358ac78d1e60d75cc39

SHA256
0c01e2eb7409932b535512034a95deba99a2cff4a7d9c89c2d7fa10e48c8ddfe

SHA512
ae751674a3a954986a0bf9d67dd68e2e372f0af2365e6eef7fe752692275c3ba7f7bb48981d92383612a330cde8aba98284312cce5d8bce4e992c0cdcc95d1e5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
5fb787bdd833882d48b6557136c03c65

SHA1
824871ccc983047b2e54cab132ddf0595d04ba0a

SHA256
34457622360eca5a04b90c9abb3cf5349d082cba8e040ea94bb149703ace08f4

SHA512
34cffa8dcd1dde731d4a24133266f1e2289df335217d9555f5711ec57d44e6e228158dd11f54ec6c3d392530a53ae9c9c0fb678f4f56922d3bb08941f2ca8d96

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/288-86-0x0000000000000000-mapping.dmp

Download
memory/332-161-0x0000000000000000-mapping.dmp

Download
memory/436-121-0x0000000000000000-mapping.dmp

Download
memory/652-136-0x0000000000000000-mapping.dmp

Download
memory/836-101-0x0000000000000000-mapping.dmp

Download
memory/836-71-0x0000000000000000-mapping.dmp

Download
memory/848-59-0x0000000000000000-mapping.dmp

Download
memory/912-106-0x0000000000000000-mapping.dmp

Download
memory/1112-111-0x0000000000000000-mapping.dmp

Download
memory/1128-131-0x0000000000000000-mapping.dmp

Download
memory/1156-166-0x0000000000000000-mapping.dmp

Download
memory/1256-81-0x0000000000000000-mapping.dmp

Download
memory/1504-146-0x0000000000000000-mapping.dmp

Download
memory/1512-66-0x0000000000000000-mapping.dmp

Download
memory/1564-96-0x0000000000000000-mapping.dmp

Download
memory/1576-141-0x0000000000000000-mapping.dmp

Download
memory/1576-61-0x0000000000000000-mapping.dmp

Download
memory/1596-156-0x0000000000000000-mapping.dmp

Download
memory/1612-126-0x0000000000000000-mapping.dmp

Download
memory/1624-76-0x0000000000000000-mapping.dmp

Download
memory/1748-60-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1800-151-0x0000000000000000-mapping.dmp

Download
memory/1816-91-0x0000000000000000-mapping.dmp

Download
memory/2000-116-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1748 wrote to memory of 848	1748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	reg.exe
PID 1748 wrote to memory of 848	1748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	reg.exe
PID 1748 wrote to memory of 848	1748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	reg.exe
PID 1748 wrote to memory of 848	1748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	reg.exe
PID 1748 wrote to memory of 1576	1748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1748 wrote to memory of 1576	1748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1748 wrote to memory of 1576	1748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1748 wrote to memory of 1576	1748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1576 wrote to memory of 1512	1576	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1576 wrote to memory of 1512	1576	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1576 wrote to memory of 1512	1576	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1576 wrote to memory of 1512	1576	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1512 wrote to memory of 836	1512	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1512 wrote to memory of 836	1512	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1512 wrote to memory of 836	1512	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1512 wrote to memory of 836	1512	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 836 wrote to memory of 1624	836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 836 wrote to memory of 1624	836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 836 wrote to memory of 1624	836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 836 wrote to memory of 1624	836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1624 wrote to memory of 1256	1624	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1624 wrote to memory of 1256	1624	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1624 wrote to memory of 1256	1624	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1624 wrote to memory of 1256	1624	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1256 wrote to memory of 288	1256	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1256 wrote to memory of 288	1256	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1256 wrote to memory of 288	1256	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1256 wrote to memory of 288	1256	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 288 wrote to memory of 1816	288	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 288 wrote to memory of 1816	288	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 288 wrote to memory of 1816	288	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 288 wrote to memory of 1816	288	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1816 wrote to memory of 1564	1816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1816 wrote to memory of 1564	1816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1816 wrote to memory of 1564	1816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1816 wrote to memory of 1564	1816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1564 wrote to memory of 836	1564	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1564 wrote to memory of 836	1564	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1564 wrote to memory of 836	1564	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1564 wrote to memory of 836	1564	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 836 wrote to memory of 912	836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 836 wrote to memory of 912	836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 836 wrote to memory of 912	836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 836 wrote to memory of 912	836	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 912 wrote to memory of 1112	912	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 912 wrote to memory of 1112	912	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 912 wrote to memory of 1112	912	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 912 wrote to memory of 1112	912	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1112 wrote to memory of 2000	1112	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1112 wrote to memory of 2000	1112	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1112 wrote to memory of 2000	1112	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1112 wrote to memory of 2000	1112	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2000 wrote to memory of 436	2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2000 wrote to memory of 436	2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2000 wrote to memory of 436	2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2000 wrote to memory of 436	2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 436 wrote to memory of 1612	436	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 436 wrote to memory of 1612	436	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 436 wrote to memory of 1612	436	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 436 wrote to memory of 1612	436	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1612 wrote to memory of 1128	1612	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1612 wrote to memory of 1128	1612	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1612 wrote to memory of 1128	1612	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1612 wrote to memory of 1128	1612	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe