1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Size

134KB
MD5

38c25c26e1229d952000f20755d69dc1
SHA1

607f4db1e5d22e20df3e3e033f979364b6862291
SHA256

1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37
SHA512

9e8a8df81fbec0e8c3f82d16f9310b9404ddc60f6f00d167f5eaf2744441ff90a5d8cc7666827cd3c62d6d844cbe28d6fd1ab5bbd076e0c92142a859309e17da

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Modifies system executable filetype association 2 TTPs 21 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect

Drops file in Drivers directory 44 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Loads dropped DLL 3 IoCs

Processes:

pid	process
1576	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1468	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1680	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\J:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\O:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\V:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\R:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\F:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\W:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\L:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\J:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\V:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\S:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\U:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\M:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\T:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\P:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\I:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\P:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\J:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\W:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\O:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\U:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\N:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\I:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\W:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\S:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\T:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\T:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\S:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\J:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\P:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\R:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\P:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\X:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\F:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\N:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\P:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\F:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\Q:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\R:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\G:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\K:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\P:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\X:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\H:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\N:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\H:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\P:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\V:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\I:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\V:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\F:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\H:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\K:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\F:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\M:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\L:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\I:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\F:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\P:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\M:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\H:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\O:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\U:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\K:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened (read-only)	\??\P:	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Drops file in System32 directory 3 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\ftp33.dll	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Modifies registry class 21 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

pid	process
1100	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1576	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
568	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1468	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1680	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1824	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1480	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1632	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1624	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
564	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1772	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1700	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1000	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1324	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1552	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1908	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1344	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1524	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
432	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1924	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1336	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

pid	process
1576	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1468	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
1680	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
"C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1344

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
C:\Users\Admin\AppData\Local\Temp\1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
22⤵
- Drops file in Drivers directory
PID:1940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fa22a423dadadb21d836c96665c0caa4

SHA1
40dce759bae6b2c451e1bc6be8d51b38f70cec79

SHA256
ebb0ab6a6deb2e16cf7caf18de7ff16520140b64a4d5626d00a3df88267bad83

SHA512
4cf4e41f6ed9ef8890c86ea4ffe4c048afb6ebaa016a21661385b731806092762f796ddbd51ddd8289bb4c259c77e6ab61d49f00ddadcb978306f084fd9ddedb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
3291a4f8659b44aac5ca4fd4845417ff

SHA1
5eb3ebd95147c6c5e1e5505fe38dda17933a7fca

SHA256
e4133f3f50b299f2e781cf958e6fc441d3a85ad946a55021220eee0728de5bcc

SHA512
2e9ac7cf3bffe4989fdda42ddcab3bba5a95fa8c33ced250dd31c4f12b5f4d7825b01aa44cedd6d6770458f7a0c2e4199a0432ff5f7d5b98d59b865f630a9415

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b7b8c3f68f69a02266e9ede812bef54b

SHA1
28f190a960c9e672804cca802998d5bf9f32fc0b

SHA256
3aa3ccfdefd6066c388e9f3314fd75f44791a2dbd2189829e34e76ff4b477297

SHA512
2ea2de0aa2a86a70046ef028f4884da28d01a769b3b9b5768f09f8ab6b9ccaaa93321a372d95095f868606296c015b5e02b4356c644c9ecb2c7bd668c9cb821d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
bc56f2192994f051d2f540ace4103f51

SHA1
6003f8ccf6325672cef4da89584a63f0bd7f8ff3

SHA256
eef2595d1679e71cba0292b846260cb762cb71ae133cc022b97a096a9f825b86

SHA512
237e45947e1bb52e7fbe8c26e9a4b0ffe036565250e3eb784d23e419a7a52dfaacf12321a3c0aee2df1eac02e7df6c358d0110d174f633dbe2725e93972561fc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
012a5fd122f6b2a73fa4c2d0d44c242d

SHA1
5d3a3ef4fafc3536dcb7c22988bd09a53baa44eb

SHA256
27bf2d491fb24130b7612242f905004708dfcf5f8845628c7b4c24689e4a79fb

SHA512
9fd9a5d45df6aceb58f948d288ed0a2db4e9ac8d04f12f1b265539a8d07adc95d174ff38bf410409935baa822e588ca3e48aadcc9c6d8b7a8243900a757e91cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a1f8b3abea7b629c34cf925f565810d6

SHA1
e819935930ced64fccd0afd6756ade649206b686

SHA256
bb0fa4ee9d4d150fe8e76b194b79d67f78e1332f6a0cbb3d1e13da1e3e89b77f

SHA512
cd28ceb3e8740ebd92194c209ead7c7adba8da5ddc4e4c04cced43642c6a9a6c39215c545b2692dc071d0bd524d09f27808ff7bc97b536c9aabb1e781350c416

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
52385c8a1f735fa769b078fa4887f898

SHA1
86d2ad1a3491cdedba010879d1d8d0dea68cc359

SHA256
acbbdb89a42233630fbbd50a07a1b4a2dff62f2efe470dfd457b13c6a2b4d93b

SHA512
19cece1c8e179498fb43adf1ab2cca80c553c57226fb31fc7dc222f87aad74b98a4db251419822323a9fd84adf72b4d69a28b288805ab936997c93e074cf2e8f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fb1ba07d751da7bd3f00600619dc5a4b

SHA1
73bacfaa95d91ffcd1a4d9117582dd98a30c9147

SHA256
92a60d91f9d4258184070c18a763f045c3580de8cdd00b31b630d196b3720c27

SHA512
875b32165dff6e6400950b7c893f8fd1885392a005103b292aeb85dda747737ef83bc5a8a884ceeae2eab7a316f207e24c1cebfb9af80e4579d28bc171c225d7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f82744c4097816001f49fa72793ba684

SHA1
a95e75477f9ebe82647ba3e0c2316396e41db67f

SHA256
97d7d3e4c262dfb86983e7c4a5fcc8316343fd913d2bc9e0125606ca551b5fee

SHA512
8d0ea0b7900d55f7246db969369a80ed4077c5e5e1836f28c166856dd9be0fa11e29de7473b9c7c1741380ae7512723c4f8fed34478e7cb173ecd3e1b45c9009

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b9cbb9912d6bab23661ff877e39588c8

SHA1
7db8ac594915524aae5b18b5a9d63abfddfca6bc

SHA256
e3096c5b3b64780a594a679940bbcb8dc81fae9fe17e290ae633f689440b69cf

SHA512
85c4afd35fdb018325f579b5a6506e93d0b1e231c222ce4addbafef49cc3d8414db3217769c9d949a23289f1a3ba59fd9fcc0c76ebdb2d74aa9b4d0d3641b46e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1c3da69e3bb08e8e5cd7287ac6e79992

SHA1
b527270aa1f3389c2ce4b437741f7c8996c989e7

SHA256
6151f35f72a89674dbb87c90bf242895e81bfd35d0f32a9a09c637c4a1ad3fb6

SHA512
6de4d8d1bebcabe743c0df10dbd6eb83a1253a9da740e16807da1362796cdcf15df2c9a52d866aaf6dabd57310c38f72dde2b1a6b82c630bbb6f0809f5754b92

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1449b3aaa6073a2b64686d2948efbb23

SHA1
719a056e84958e0f917ccbbcd6e035cf5ce7c5af

SHA256
fd1c789e89208cf2ddbe780af638cd9737d9bc5a99fbaea629ef934bead981e9

SHA512
69751d72d4bcf57f1a081ffc207e33bf426406542d4e6a66dd2688005d3e60c4be7205f1961c6aa6e6ca61e3b34b2f2b30f18d5eba2017d8d477df2360347377

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
feee57f274be6ac68df6baa07fe1fca7

SHA1
20a68f6c375a6bd17eac1365757ea3f930d09968

SHA256
1dddadf44a53681e4a23f496acf57e01e5e53c87bfb94a1185dd342745c166b0

SHA512
4282bb691531feb5d59d1ce20267befcc1c00c9928ed09c0dbbefefdf93251fa6943f0fc92d41c0916294dba608bfc137e458385b56b655d225161ccb82f9a00

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
933833151240df3d5c4f3d3699f7db10

SHA1
68a00b7e10b20229b128dd37aa14145077754107

SHA256
8fc44fe7d3aa9e19b25c18b529d3d1e7f89bb274d7d031ad1d27abe17b2da139

SHA512
d05ed71a904cdd480b08bd7ddc6840aa9407e2ec482f2477869d0b9ff293e9d261ac61d6c4aa1eddc38640963ebcb025953e6727c373e230d20f4b2f002168d2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5d33e5687d66b846a03bc44aebfd34c5

SHA1
5e93941bc5f0102324ec52dae1633fa6203baee7

SHA256
841a8eff7456275c40c9aa456ff5990ea356ec613d2aa028a4e938b0903544b4

SHA512
74ff8a4a8e0974e930e0c1cc5e470d7f55cfed157a88d9dee2087695024128d92a06721aa4385b145bb5e141162266ebbb312c6902913a29b0720d579a3963ce

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0ca6dc735611ebf7646232dedb8c2cc6

SHA1
28bd90b26b6eb0c218439e6408da6b4f54138736

SHA256
500001384129d0c06ac48d24ff74396d7ed27a5a09ae880fe2fdeed5be0ec210

SHA512
ab387b86c2884d379084c2a162b4deea251051f7a134a03abd1336e4ed7eb25b1a798b8c80c400062d18ee9c6ae69329ecf77cd45750bb0e48852820a7c902d7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a0d2c70950355994fadcb71b9509c82e

SHA1
5038b5a182a58d1278cbf27cd65c2eeb94881938

SHA256
fd4b2493952f52b4bf107c81085080d6694daa120e034cb12cce9499b614c1f2

SHA512
dcb96307a4712626a4eb73faed928fec049fe97157e4d9ac4b0f61963dbb8161c080598d1113d98bd4e28f9072c72195f8df909bd20f2efeb2bae2c2f419392c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ade98b10940d81425e3da590035cbe01

SHA1
64479c4caf3cfa41261c664d5c707c877b448824

SHA256
e54f564e1026a7f29b14018dd2f81ace962d881acdf172e2d7ca696b090e3a31

SHA512
f145adecee37ab961421aaf4cf8bf5c25e18c103aa91f8b53246a6353c2a2300049caa9c67401ce0c15018a4911e8698187d24366d7f02085f05b5b743c7946e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9384df3fb6028b1c63c939e5bb9b5490

SHA1
4417fa2eb7f8e2bcfeb62fdcaa0a77c67987ed8c

SHA256
f1ba9f1285d39c29ede2cad14eccec03bd7c749a61f7d35c342e0df06ddc58ca

SHA512
f33d5c88f3fc4dc5c89c893343c9c5ba739808c480f9066e32f05c2b093193327c8468775aded9f6a9a87b34b7e3437b1f4995760ded71203a2c657dac968bb9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2b5a5106b4e8516716f2ba7d1605d3f9

SHA1
77547e29cb12fd339a624c02315876bd28076cf6

SHA256
db8081f53c3d3d4d2c4c3c51d65f904eb7fd6c12dad797d7ac2c796b2640f1a2

SHA512
9962320a2ae3f146362d014c790341178cd517e7699faeb52b9a507c0d2f5c14da505e1233f0efd79805eeaa16abce00ffa989d2daa779889e16d83ebb06dad8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9ddfaccabf9333ca48350073505d73ec

SHA1
d5a8bd05d7ad369bb2d6065037857ddd56f53cbb

SHA256
c7ec97577edee0521d87df1fd60497633b72ce71eaab13ea3f384c6b72512793

SHA512
818145bb275e91c26588847ae8063a24b157989fe4a9d777346c7fc212b5175d9e5e54c25bb57ff601d745ba073c2bdcc16d37bd49808d02d7719ab813998f35

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1551acedacfcbe4f1d5c59e547ef0259

SHA1
3562815c753ee8d68f0eb25b8d98693bd330a2fa

SHA256
d365e3d352583111409ea3835ebdfd505586552aaa79c2fada2ff0eda25ef994

SHA512
507e99f196c274a62d68717d411a541d0fe5c4356c179db79d088c0055ec687ec40e2b5eb2f057f5f39aa84486d2ab546262a540da5a219a62799bc4b3446efe

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9fe8786776451328b84ca171f8270728

SHA1
66fd56848121f2e1c655e8801d77855524b43b68

SHA256
1c71249115f141511b94cf8c1cca8bd6cfb9daf1e88a74f58c78cd8290694fcb

SHA512
a9a13c3a6f146b9cd59ddd7239d3b454ac1c37e0e6fa7537be3743f307725d9da4e5fde127aee8a5dd9dd0cd6c86cd6efa9d33a49b69ff514049aad1287d062f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7042c6a56fac4eec36a7a7cfc7d7e729

SHA1
7e73573703bb425f8b9111fea468011a74de5259

SHA256
4f478177d733d1b98a8298abe3de3348b44a77827e22732192f8c4678619e390

SHA512
b111e73e714e8cc51855b04ca8ee85a67a15c0ace4e0a4e44006f0154cba8fea3f6c35ace67f9aa8dff8e73406d01e8eea410353db9a5552eb3b6b5346a688de

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2013a448db347c7bc459dd2b93f46e5c

SHA1
ce730a66648ee8cd7b867344e0253ba40f50ef2a

SHA256
a05179d3e354ef2b09f2d0c3d22c7e1f2bd91fdeba3c08f069c1bbd6c4775dec

SHA512
d8b867879d7cfc2b355c5ce87ccbacb5fac4c400c2800286b7fc42b02bdbe03395ab7168240f7d8a445faa6111de37eea08eb4b0645b10ec64ebb365d29e6b07

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a4ddceddb556c40383cc41b95c883fd3

SHA1
81db7ee326b0c83482f820dec2012e6bd5d21b9f

SHA256
1f43b8ef93c2551ef05d06c8cf2096916bbd59ff80dbaebbb88914c7f0f759a5

SHA512
fa203529fe404b07a5c01a9d4dfc432883df2174ee5f403127b3d02bc9253238e17790abc34a424f92f8f13ccfd2a8ada03ae81e5ac0aa2ba47e04eed0a7d89e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e5cfbdf05f940dcf693439c61dfeb27a

SHA1
a8dcaff9a83bae0ffa1b0f12f2a4f92f1096760b

SHA256
e298810a7f260db88c5443b772e86887410256669f07f5dc7f3d2cd386b7523f

SHA512
8f1ef658888b3d3202e7d59d5a64f002b5ca0fae48e96260245bcd0a164f13fb39bed718eeebc37d6cac547fe782f17d2ca83aad04c21204e2a203286e6d11a0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fccb77951a2880a24b763350bbc82080

SHA1
95ff1a2eaa0a9632204f578f96f492fe7bb3e6f4

SHA256
b28c25c78ad5536b6ea7ce51562dca9bfbb26028c712741f811d30c70dafb142

SHA512
c26ef58cdb7e9baf2973386ba118a274cdbe96228439934051209181631eeb0553eca5099fe1e39da46b7407cb92cf4f0442f1889a6bae1d9664976298c7eba1

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/432-154-0x0000000000000000-mapping.dmp

Download
memory/564-109-0x0000000000000000-mapping.dmp

Download
memory/568-67-0x0000000000000000-mapping.dmp

Download
memory/1000-124-0x0000000000000000-mapping.dmp

Download
memory/1100-61-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/1324-129-0x0000000000000000-mapping.dmp

Download
memory/1336-164-0x0000000000000000-mapping.dmp

Download
memory/1344-144-0x0000000000000000-mapping.dmp

Download
memory/1468-73-0x0000000000000000-mapping.dmp

Download
memory/1480-94-0x0000000000000000-mapping.dmp

Download
memory/1524-149-0x0000000000000000-mapping.dmp

Download
memory/1552-134-0x0000000000000000-mapping.dmp

Download
memory/1576-62-0x0000000000000000-mapping.dmp

Download
memory/1624-104-0x0000000000000000-mapping.dmp

Download
memory/1632-99-0x0000000000000000-mapping.dmp

Download
memory/1680-78-0x0000000000000000-mapping.dmp

Download
memory/1700-119-0x0000000000000000-mapping.dmp

Download
memory/1732-60-0x0000000000000000-mapping.dmp

Download
memory/1772-114-0x0000000000000000-mapping.dmp

Download
memory/1824-86-0x0000000000000000-mapping.dmp

Download
memory/1908-139-0x0000000000000000-mapping.dmp

Download
memory/1924-159-0x0000000000000000-mapping.dmp

Download
memory/1940-166-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1100 wrote to memory of 1732	1100	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	reg.exe
PID 1100 wrote to memory of 1732	1100	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	reg.exe
PID 1100 wrote to memory of 1732	1100	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	reg.exe
PID 1100 wrote to memory of 1732	1100	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	reg.exe
PID 1100 wrote to memory of 1576	1100	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1100 wrote to memory of 1576	1100	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1100 wrote to memory of 1576	1100	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1100 wrote to memory of 1576	1100	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1576 wrote to memory of 568	1576	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1576 wrote to memory of 568	1576	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1576 wrote to memory of 568	1576	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1576 wrote to memory of 568	1576	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 568 wrote to memory of 1468	568	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 568 wrote to memory of 1468	568	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 568 wrote to memory of 1468	568	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 568 wrote to memory of 1468	568	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1468 wrote to memory of 1680	1468	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1468 wrote to memory of 1680	1468	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1468 wrote to memory of 1680	1468	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1468 wrote to memory of 1680	1468	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1680 wrote to memory of 1824	1680	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1680 wrote to memory of 1824	1680	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1680 wrote to memory of 1824	1680	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1680 wrote to memory of 1824	1680	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1824 wrote to memory of 1480	1824	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1824 wrote to memory of 1480	1824	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1824 wrote to memory of 1480	1824	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1824 wrote to memory of 1480	1824	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1480 wrote to memory of 1632	1480	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1480 wrote to memory of 1632	1480	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1480 wrote to memory of 1632	1480	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1480 wrote to memory of 1632	1480	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1632 wrote to memory of 1624	1632	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1632 wrote to memory of 1624	1632	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1632 wrote to memory of 1624	1632	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1632 wrote to memory of 1624	1632	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1624 wrote to memory of 564	1624	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1624 wrote to memory of 564	1624	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1624 wrote to memory of 564	1624	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1624 wrote to memory of 564	1624	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 564 wrote to memory of 1772	564	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 564 wrote to memory of 1772	564	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 564 wrote to memory of 1772	564	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 564 wrote to memory of 1772	564	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1772 wrote to memory of 1700	1772	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1772 wrote to memory of 1700	1772	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1772 wrote to memory of 1700	1772	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1772 wrote to memory of 1700	1772	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1700 wrote to memory of 1000	1700	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1700 wrote to memory of 1000	1700	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1700 wrote to memory of 1000	1700	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1700 wrote to memory of 1000	1700	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1000 wrote to memory of 1324	1000	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1000 wrote to memory of 1324	1000	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1000 wrote to memory of 1324	1000	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1000 wrote to memory of 1324	1000	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1324 wrote to memory of 1552	1324	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1324 wrote to memory of 1552	1324	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1324 wrote to memory of 1552	1324	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1324 wrote to memory of 1552	1324	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1552 wrote to memory of 1908	1552	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1552 wrote to memory of 1908	1552	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1552 wrote to memory of 1908	1552	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe
PID 1552 wrote to memory of 1908	1552	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe	1a39dbe827a476c860e0daba96eeed6dfa40535294cce579d00741f6b0a57f37.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads