7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Size

1.0MB
MD5

51db7a3a3551bc1f4e6acdfd49c57c49
SHA1

3416072fdb6940ea50e2ba301a5b77f178b2af47
SHA256

7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1
SHA512

b86643042d49abdd9bcaa0947abbe45e6de037118723a5205f3f188d5af160906588cbce23f52ea18d3b66925cd3ee505367a6b80d57fb64fe30282ede5e8808

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

Modifies system executable filetype association 2 TTPs 22 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

Drops file in Drivers directory 46 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\G:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\W:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\T:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\F:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\V:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\H:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\G:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\O:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\X:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\O:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\N:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\H:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\J:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\K:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\S:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\X:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\S:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\N:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\M:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\E:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\H:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\H:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\N:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\E:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\T:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\E:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\X:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\S:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\S:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\G:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\O:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\S:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\K:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\V:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\E:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\X:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\O:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\G:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\O:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\P:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\V:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\T:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\V:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\M:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\E:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\X:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\W:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\X:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\Q:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\G:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\J:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\U:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\H:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\L:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\L:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\J:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\G:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\G:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\U:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\R:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\M:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\I:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\W:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
File opened (read-only)	\??\G:	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

Modifies registry class 22 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pid	process
1104	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1636	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1504	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
584	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
872	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1628	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
396	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1032	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
344	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
760	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1280	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
240	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
2004	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
552	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
668	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1704	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1908	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
288	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1620	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1332	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
604	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1444	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
1948	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
"C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:288

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:604

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
C:\Users\Admin\AppData\Local\Temp\7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
23⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1948

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b40fefff56240df671f2ab593488ad51

SHA1
4dc6a34fc8dea612857393a86b3be29fdf56d1de

SHA256
bbfdbd0ce038cf1326eb826d96518e645af52f5c8fc42a873c07b28212548f1a

SHA512
5837f1f811dd8afb5adbd790c0ee846eb8d921c86c644305d49cf39d05aa6714c0315484d73395029ebef84108c7f2a7a727c9a2ab19d76e5869ad31f1ce97de

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
90db56fba9cf3bbdd9622c094471ce86

SHA1
153e9764bf67565f802fad2fd76988815ee89247

SHA256
94e02baec344eb6ee7b7e0c89f0190e70f4bd3ffa3edc296d1fc0f5f70c71d0d

SHA512
47447938081e4626869d1617de25df7cdf7fc56d41127363453156a0167ac5923bec68e764e8d9cb2e290624467eb4273e1de3655cbcf925db97763c598f8280

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
74a2d18743f4ed1fa26d4337b86e1b89

SHA1
4e181b95694f41578c3d27a43288c2545303391c

SHA256
04a9b7de479aa4296a4a132cc4ce4b8b8a960e0e765246b20136f772f511b437

SHA512
2d724f1516510a38c553d2a74bbf52ce848a81136ac01fe7a85ae7ba4cfbffb1740e56fe5a2ceab8bd0a600bce066256be231f5b4c43114edb2a88bee71cfc5b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8c0aab999c15c92b73a7f19b5928797e

SHA1
af96759342175a2b6bce0b79d3d173893c37e407

SHA256
1f0d7612b369f1afd13f7fa8743cd907ebc74737a1ae97c9145767bb72af4a44

SHA512
4ecc7d188a4c1babd0ee4ee420e08f8014c2c06752c1e4b33fdd0d1a26301d5bc95e2b6d1b2f171993a3574cd46490b6a3fa1893dd314550f93bf983aaa0618b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e0c650d79fb49d6df54957ad3071d00b

SHA1
99529a8782a6736e2348b3effddcde1a433c8787

SHA256
3784605eb5eb27055570f312251a4961037261972c8494db41a58f5604a901d5

SHA512
45255dcf5259d5ef1d7d4f263abe4f7ad114647fe18bba163901f32d9255ae1962f9ffa4723cbbf074c0948ad84aeada151b50fdc1981bb3657d0409a7e47c01

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f4fdf55244eb90965009ab2675c1e262

SHA1
63507ef8eebf8728784cc2907e41fd2eee653e1a

SHA256
c25f3a412d6a76f9a27903a2b818f7024a6bfaa68dd3503c79bd349c8feea362

SHA512
a204980125b29b61fc50885715e983538c47ab149cbbc37d28692caffa315bc4b0172732a05794fdcbe144904077fcf835b45e58295bd91baaf0c268ddad6354

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f07c7ce18e40be750c914f864b46ab5a

SHA1
3e7d460ff8cf8421482016b22d7034445324d669

SHA256
597c0ea1c8bfa10ae3f7aecb06e40cf3a13926044745c61fc2f5aef64a2e40eb

SHA512
b711b078cda9f1d555a7eccc6ae221598a047cb1c118171fae1a704ebc0dbee196883c714d3535ffa0a08c2f79b1c786da1311bde36c0fa1580279eb1de81416

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
eae59bfdf36eb2e22b9e044fc5f2b71d

SHA1
8f8b99acab7247a50808464aae637b4cb03f7f0e

SHA256
eb962dde1b98d67e20ee3faeaa20a8c59f7f8ea0c8550d3cdadecaead5d797fe

SHA512
5e492f7f8aeddab3ff61c3006257c7fde67edd860ab991e9a45da49b56b973ae37f347f40a9fd72bfa94578c6d5ef08e756972a5c6ffd6719668b0e1b9557060

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e08135c613ea61c344a0c4a8f3ae4e96

SHA1
0d98ec48d763b2b4546e1994654b14f4a5071580

SHA256
533099ea571a595a16786542e40e69b35ecd8a49aa205b5c80bbee71dad71a10

SHA512
db6eb93d18c589c0adf681ac278b1c536bdaeae7b90a7610a56845fe8eb55fba6a1af06d1e02e27bb821bafcfa71683e2a8e09fb7113947a9aa702ebc0f829c7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5be03360e65eb8ef4a68bd676be1b8e7

SHA1
92b3f4912f5ef22684acd6d2a192a86ddc528081

SHA256
de6549959e674f5396d1e219d84b5edd805338f50f16e68d1222dc6ab68a8f6a

SHA512
08255d534aed61bd6a43c84f054e18efd580b0e86d55f897595f6c38463e5c099c8c2a7fabd581e9c05372ab1a492b2db514c53701ae85dd7174232b65b5b1f3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d0390ee627a126edf4251ea7e62084b2

SHA1
2a2b2788b4d421d603de8f113b176e2fff2dfffe

SHA256
955aec2b784eff3e81b8bb605f8bd51c67662bab1e9459ea0dd8d8d14a7d41af

SHA512
1965725ba787d8bbfa9ec8dad2295272209c34651fc898e6e76d55fbd5f17ee603278ec62d41784ce16daae25be3689764750c728261d9cae9ed74abca0c4f1c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2148edadcbc38d572a607d987d4197f8

SHA1
08d34c8067d5035cfba1e3a6c50081575182912d

SHA256
c57cc17b0ebcf5ed1306398febb3d56e1f3ad71ba7d58166cec3d94c4ac8c150

SHA512
201f72983efeafc7159950482085cbc8e9d5194e6346de89a34834e08965c8be0bfacf7788796859e402b7f650d340f81ddeb2fbb4e5c8076e6859fc77d74ebd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d893faaf489401b2a8e647d8f6b457b6

SHA1
fd6309e380c68a430b7cc00c31385ab2773228f1

SHA256
48827360ff67438371813a06d461575f3998f4e76cd46f1b41e1412d10eabf75

SHA512
8742a54cce11ff19731764237d8721134111b2d9a96f6f763bc228d748c0dd6a87decf15e3037f3e89d215a56d99e79d61b7a5e662b55e723dd9ad468406c0cb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
02838d2a253efd1ff0ba2d68fc426885

SHA1
74f991c97055aa9d8f2dd22f3ebe1132d9c9369d

SHA256
b1dfb1caaeaee0a77a618f0df165045a8a916168e138e8b40e0dba4ac7302acd

SHA512
a9170c4893ca79e4270c399d212c1d497361709a0f473e7cf261e9d96c141ae13654072f7764aec62f0e8302a96bf16c1b0fbb3db342066f86e2f0fc257f04d9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
88f56ffb13f12b378b4a661485d1524f

SHA1
ae027548e2192d96e84b6b40a2a1e009a2066cb8

SHA256
a8d1a0febcabf56d2589503d50cfa9f9a921dc0e4c918f4b359b452ce2a226c3

SHA512
28e6ac7266fbebcd5db815c079cffe021154aabd85edaa3448411704897139e2ac2ccde876a0ecd7547dd12d309c35071e90055d18cb5315737d286b373d7a30

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7e1d217479682fdbe42a7c83e2166955

SHA1
a56514c824490bb3780dc0aeed596daf47969e2b

SHA256
3ba330453f0aa7f97b87c26ef918a7875e4ea090ff4a33ccfea459b42a7e3375

SHA512
88dad26b233288367d983594191f86cb8f089356223d7706bf8ca8be2cb26847931c82695df35a91161c57f4c6649dc043ac2e9861f3b095adc17ce7fbd25791

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
bd100527b8f37fe402b2762657aed896

SHA1
a8134ce2a36479dcb0e949e92ab615db19f973a5

SHA256
e1dc02149bc4c383d01e5dc57c3bc8ab37e9949981d149ed7d06a0aa94b58b2c

SHA512
c96712442e0aab0421a2df027ed23b6db802ae156479b13ad27acd14b5865375bf978cf108ed47388350078b5b7ab1843463364ae025e611d4a08a94cfedea5f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3e3f124085b29f5b4459352ed948190b

SHA1
d0d18c8936d44a9b978a4ff4ef5f3a1d668f73a5

SHA256
fd4e773ea4a85ad192ec1c278ff22c63ba12fea941db517b06a994074efd2d1f

SHA512
54983d2c1af7b10ab3d5d595f96e8cf94739a6ff0d7a8a2e7e623f5e0e3cb901555997255660c069b20b478dfdf6d256e6e200468bc5d3a23126365947d7326d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7c961ec209157e27f6a16b9014bd052e

SHA1
1f108be4d6ff7b6197d1552e7a35622c63814ebd

SHA256
7384df422254eea7d8a57496ea7dab60ffb1b134b2b15ed8b099f9812cade125

SHA512
3ef9259f021cd717eeae93be1af1c700c5ab36f1822cffc44f5cf5169c0c0d0d396e514b93143f6581e1bef22060f3c709d2bd48fa732fec0f0f943c3e5d4abf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b139d77269520781d0eb564e1d93f4bd

SHA1
218abee1404d05c3edb26edf84183cac9ab3cd5d

SHA256
b20c845a5fda368c6146d8d62c6f2de9d64a85f14a64a7b427f7cd9e5394e2f4

SHA512
05daf9b0a817c4e8e0ed13a329a9f6397bd6fdd26e3c6825462a1bd0fe70ef1513881b082691f0419420025f8d0a516a6047934817803aa285f113d467e97365

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ae75e0b661c831d1d54762df4cfcf026

SHA1
0af8d9fb1eaf5b698c478be42a7cfb69af60e50e

SHA256
5d72d7d156563c71031046d9aa63f822ba5be7005dd871b9501f2dc71c3640bb

SHA512
3599ebdba94be780effcfa2b18ed243c55a6a25cbc1134426651e4945987af1c3236dcc59edb543dbadf5f7863111d1683bc5ae5781936365f898ba08a707692

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4ae53fa75c39a3ce3925c026526bf2c3

SHA1
9138045c5430aa75796cea2e76c423cf9ebaeb50

SHA256
53f57759f98545b36b3fdba785f4f79bb1e55d2322aa4e2a4989b646c645936f

SHA512
d081f23f785cc2b3bce7bcc7e382e9d70af2afe590d9267df870d1a57c3c0e832c0d409ec91d84c339b141dbeb37d5ba46c323bf2b299efec9163e9bf3b2dbd5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7c3686ff4653f0214d59a6d7d0026e78

SHA1
2c8fd266e60595457f125502d24b5e724510cfe4

SHA256
0ec4aed17237146b1305aec045d75f3ea9355b65e9cd1715ccc189020c80d246

SHA512
f4a7678eea5c6e8d584c149bb3652c6dc0545a967fb01dd661db245eac8e97f616b0c9c83bd63cf5980cf08e0e063be33cea7bf5997314e3983f223ead70eea2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
47b4f8dfc23bfb4fad9451824e675509

SHA1
e5d09ffcae6a5f44d57d44f26121c33a0a87f360

SHA256
da6f1e4266630f2e28fbff1640b9d4239b5417a94ac83a688b1f716f4e49a577

SHA512
1514b878f49dfbf7061b744832fe38f4e2c24a5a95232c2131d738daf41b949c4c939f1493996f64c697bdb3e7b205bc7ec01ce4365f5e10cac26398cf7551da

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/240-111-0x0000000000000000-mapping.dmp

Download
memory/288-141-0x0000000000000000-mapping.dmp

Download
memory/344-96-0x0000000000000000-mapping.dmp

Download
memory/396-86-0x0000000000000000-mapping.dmp

Download
memory/552-121-0x0000000000000000-mapping.dmp

Download
memory/584-71-0x0000000000000000-mapping.dmp

Download
memory/604-156-0x0000000000000000-mapping.dmp

Download
memory/668-126-0x0000000000000000-mapping.dmp

Download
memory/760-101-0x0000000000000000-mapping.dmp

Download
memory/872-76-0x0000000000000000-mapping.dmp

Download
memory/1032-91-0x0000000000000000-mapping.dmp

Download
memory/1104-61-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1280-106-0x0000000000000000-mapping.dmp

Download
memory/1332-151-0x0000000000000000-mapping.dmp

Download
memory/1444-161-0x0000000000000000-mapping.dmp

Download
memory/1504-67-0x0000000000000000-mapping.dmp

Download
memory/1620-146-0x0000000000000000-mapping.dmp

Download
memory/1628-81-0x0000000000000000-mapping.dmp

Download
memory/1636-62-0x0000000000000000-mapping.dmp

Download
memory/1700-60-0x0000000000000000-mapping.dmp

Download
memory/1704-131-0x0000000000000000-mapping.dmp

Download
memory/1908-136-0x0000000000000000-mapping.dmp

Download
memory/1948-166-0x0000000000000000-mapping.dmp

Download
memory/2004-116-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1104 wrote to memory of 1700	1104	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	reg.exe
PID 1104 wrote to memory of 1700	1104	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	reg.exe
PID 1104 wrote to memory of 1700	1104	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	reg.exe
PID 1104 wrote to memory of 1700	1104	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	reg.exe
PID 1104 wrote to memory of 1636	1104	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1104 wrote to memory of 1636	1104	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1104 wrote to memory of 1636	1104	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1104 wrote to memory of 1636	1104	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1636 wrote to memory of 1504	1636	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1636 wrote to memory of 1504	1636	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1636 wrote to memory of 1504	1636	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1636 wrote to memory of 1504	1636	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1504 wrote to memory of 584	1504	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1504 wrote to memory of 584	1504	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1504 wrote to memory of 584	1504	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1504 wrote to memory of 584	1504	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 584 wrote to memory of 872	584	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 584 wrote to memory of 872	584	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 584 wrote to memory of 872	584	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 584 wrote to memory of 872	584	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 872 wrote to memory of 1628	872	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 872 wrote to memory of 1628	872	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 872 wrote to memory of 1628	872	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 872 wrote to memory of 1628	872	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1628 wrote to memory of 396	1628	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1628 wrote to memory of 396	1628	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1628 wrote to memory of 396	1628	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1628 wrote to memory of 396	1628	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 396 wrote to memory of 1032	396	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 396 wrote to memory of 1032	396	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 396 wrote to memory of 1032	396	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 396 wrote to memory of 1032	396	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1032 wrote to memory of 344	1032	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1032 wrote to memory of 344	1032	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1032 wrote to memory of 344	1032	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1032 wrote to memory of 344	1032	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 344 wrote to memory of 760	344	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 344 wrote to memory of 760	344	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 344 wrote to memory of 760	344	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 344 wrote to memory of 760	344	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 760 wrote to memory of 1280	760	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 760 wrote to memory of 1280	760	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 760 wrote to memory of 1280	760	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 760 wrote to memory of 1280	760	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1280 wrote to memory of 240	1280	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1280 wrote to memory of 240	1280	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1280 wrote to memory of 240	1280	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 1280 wrote to memory of 240	1280	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 240 wrote to memory of 2004	240	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 240 wrote to memory of 2004	240	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 240 wrote to memory of 2004	240	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 240 wrote to memory of 2004	240	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 2004 wrote to memory of 552	2004	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 2004 wrote to memory of 552	2004	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 2004 wrote to memory of 552	2004	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 2004 wrote to memory of 552	2004	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 552 wrote to memory of 668	552	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 552 wrote to memory of 668	552	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 552 wrote to memory of 668	552	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 552 wrote to memory of 668	552	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 668 wrote to memory of 1704	668	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 668 wrote to memory of 1704	668	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 668 wrote to memory of 1704	668	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe
PID 668 wrote to memory of 1704	668	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe	7b624dce3063067f575f124bfd4a4dcbbac20094b19c52d62e8a5ed2702163c1.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads