92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a

Analysis

max time kernel
154s
max time network
156s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Size

1018KB
MD5

198353764b97d99ecbaddf2bc02830bb
SHA1

e43aa331854508a4f8486a473c7249038c6d4cdc
SHA256

92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a
SHA512

3fdd3069f74fe5bd0f5797fd8ab027ae4622220083816cb6fa993b571a5c8814c1389e0a83f399635bfc3745a29a45d3c6e5f664a03c90ac3b91b92b730bf21b

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

Modifies system executable filetype association 2 TTPs 22 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

Drops file in Drivers directory 46 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\H:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\R:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\J:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\S:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\E:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\L:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\S:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\R:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\I:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\I:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\X:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\X:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\M:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\L:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\R:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\V:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\V:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\N:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\V:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\O:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\P:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\N:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\P:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\L:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\T:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\E:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\J:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\U:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\O:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\R:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\U:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\N:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\P:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\S:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\E:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\U:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\U:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\F:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\I:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\H:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\R:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\P:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\L:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\T:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\Q:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\H:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\S:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\N:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\W:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\J:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\S:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\T:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\H:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\O:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\N:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\O:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\G:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\K:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\R:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\M:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\G:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\K:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\T:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
File opened (read-only)	\??\V:	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

Modifies registry class 22 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

pid	process
784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1712	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1120	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1880	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1620	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1896	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1588	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1732	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1524	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
280	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
2044	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1508	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
768	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1924	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
948	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
316	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1548	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1620	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1072	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1056	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1920	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
2028	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
1688	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
"C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:316

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1056

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
C:\Users\Admin\AppData\Local\Temp\92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
23⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
22e8651f1c7787ff0f5be443b32e531f

SHA1
fdab865f904e8ce4a4ddbe32cb54d4e1dde32bc6

SHA256
5fed27a7b0608778358bfc8d1f19a04c752c601188275f9c5b4e6fafea9fe099

SHA512
f983431fbeb222030d0ae3387e98bf1cfa1e7df67fcdd5279d468b9c1b41d60b3a8db8db28b760cbe9e2161ffa875f00bc92e32cd7b0367ddfdf737846d1ab12

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d8825acabb18bd5177058e014c52d6c2

SHA1
748dc3b6f6b96e28170958c5e171a7de5b629872

SHA256
3521f4b4a4bf6c816c894f2f3d25b55dbd6ac6982457e6f10f7b1459a2897da1

SHA512
04bcec3776e33413f55def0443aa5e4970f0513118ad38843326f2e3a908ff263afb1f5c8b4bb0395bf5d626f80a16a8674cf4195c3fd3d42774f1e469a4ae3c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
5d7dcd47b40eaf1bee1b0069b44237fd

SHA1
1f8bd30c51783013e956fed299687a00414c4a60

SHA256
a32e425ba0d650b4c73fd2b2436c7490c7ae2791f73d4c6481f64df421ae92f1

SHA512
843e00e7e4c35305145e3c10bc9e2e14f11014224ed37ee074f4a6a32d9bdaac67f69411d778d3cd36189b1430ecf69cce60477e360581d40f223f6616454bf6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2e85a6f8ab2c7e3f7b922126a71dde65

SHA1
dfdb718d9073efbf0605dd3adee6a2e27136601e

SHA256
ba2596c9fbfddbaaedd649e34cb88c563fb4d73036af24e902ff07767f1e8819

SHA512
ca3709f290f1ba438ab9e4f2f1a05c56fda5f1803ccb488246856ddd2a07a4e2881dcc310766b5ace2899e02cb14976b2e8f1d09d9407653c5ce8b2b2d7f3a1e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
5ef0c338e5703f1937647abd335e122e

SHA1
28aafa176aa2fe45036f2569c734a9ab9f85f63b

SHA256
5da173ddaea3e7aaf9a061147b2c700c71265cf334e0659737b019f6cf3c5417

SHA512
8399e29deabd8596a71032a4cba167328d18b4a2d1efab52bbe030c49c47d6b7ae1db43984f5f3dda240cc3d216e602512a416d0739052b204898f7813b3b367

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b045ab8422c7f9675da49e3b86aa488d

SHA1
39ca9d1cf3d9c72dd5e2217a124efa07f14a01f9

SHA256
ba37bfc7f58a170c4d221c2f0f166ff8fe3fd4dccdf8053d08115764f4d7a093

SHA512
30f445d99845cb5282f1258b79b5633c8c69f05bba16f07a44c58e05dd0330e824a8051b985de62f313cfeddc1c8f2d59c45b909f7e3a7e3d1db922c93da38f9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9d3823dc2ca84fe7ffbce8574ed0c98a

SHA1
a74c4376ef4252a5a285bbe41bc8ffd209373504

SHA256
f2ed32c1df3c46a15a97162772d5ef23189e16db343a9846cd7551908c53f40a

SHA512
68ff5bd37614bf34059643ba918831659800cc24320c713a809623aa1496458b4f1de74af1e53c176459839a2184961de8a6ad88903b6129d936eda6933f1ad2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
36f1f14f40cc2581b9f125942fe4591c

SHA1
991c4423ea8cbe12c46adc1abe5a19756d7ee649

SHA256
f888a6ef6ec3b949148314ee62008705752cdc1e879a7648fe88c44687335c6b

SHA512
84ee0fe031f52cfb544f14f97019ac040b10a80b6b02c71e50efb870a4826be198571e8ea69e5182f72a61a6155e7f68e2f1c8b10e7e14e845b7e6eedb134688

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
09de4b6a502ff82958b10ef59c7c940d

SHA1
c2b0a1077508d1fd9a1813cc336e387f7029cc39

SHA256
cc10b938d37d442fedf73956b1595bb4f0c47b66288cb89202f9f77484cb9bce

SHA512
633a4d0c48cac0154b5d5f0978ebb992a6c0ff4a3f9b7059eb01648df9308787f48390fe6106477bf305d8d82f07f116351896c2243475a80c4e91295993de94

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4bf82d67ac8811e880715d64aa1d3d51

SHA1
043ef8734033f1cff75989aedc9863ff4ae04bc2

SHA256
2438e040a6234c6d6214abaa0b07a5a3ac11473fe3653688ac1a03e6774ee2c9

SHA512
25d5f7ba19300dcee9f5868591a8f5c8fbc95b7eb3413f39d707b10498cfd7efac3940f44b7532e42909a57b72c42e35928b77fb543b5efc63cf0f3833250219

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
84d95172450c062a2dcdf73d554fdf25

SHA1
8a8e0d2c064d78809e545334e456d35ebfa41c1d

SHA256
0652170a01b15b75afc191cf350653ccb2b8e273905d0ba964526742ca178832

SHA512
5ad7347792c1bf0638046e8a6bc959906e849c28e0fa9fd3f876a5c871c0a27f00a276ddf5170da84195f42159d7c217803ae934bba1e6c55ef1fd27288999c7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2b306ce0c23882edeaad949da2d4464a

SHA1
b6f3cdd5881c3d60e350530b518688c915b57fb5

SHA256
c7f003ce1921d66cd6ce92e39f2165f84bdcdf6f32d6b108b6ef787172ccc149

SHA512
d424e8b618fb140dfe9e5bc75f28b5f01ea4ad99fc0d0983f84c31cfd7a7b2f420adafb2f756bd209260bab5d0270ae3b42a4f08266ad6da9d06d76dd6dc4140

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
21f357e2112d4bf854a1888c853a979f

SHA1
9ce95e912689a8c65b36a88b009874dc3879b76b

SHA256
7730d39d00cbd2aa874b275df61310669246afeee1c015fc5603da0340f2c87f

SHA512
2efa9b860ed2a9a095abfa299ef5c38d81fd413998edf93db5d85d4d9c1293245fac319a419c42f946c9db33396b090f5a713487a4b9239f81df038ef72603f5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f3beb4273c225f22cfb0a61b2f23a540

SHA1
97f2072eeb98f063496147105d94a4a1a192a4a0

SHA256
065f4526e6693ba75c199d0cf9e390fab8fd847796b1f0093ed870e3d43dd264

SHA512
d86336439816dc0b0db5dbb59f7a060c31526e24957bd85ffcae4f830fc00ecde72b5365755d564d1404c76880b63d263d93f0a31564ba35603136c1ad7508dc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
98354fdf1e9f037bbc7f59610894c68a

SHA1
bcf7f8f572a9108ede6b5b029b9374c180af417b

SHA256
e3290670833cbc05f765168ce30a51d7521395125cd2faba38da8b3e1bd2d3d2

SHA512
ae75c925f497f0d3b60ccc9c1a927bf5a7fc8f3a1685b6f06a03c9a6712b239c1268d229c8093fa47c29da6b6866b1305cbaeaff69187b03f1a552708f9e4fcb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
349ba4462533c5361191bd5670e39897

SHA1
6059804377ecb23333c2865646dafab9833ff8c9

SHA256
69485f76f397415d6f6aadcabcddb86e8b071811104eefecb30026fd3591418f

SHA512
7977c6b741b86014dedb82dd8fc6900485a3bd2cff5883be46212897a0773186c35640bec53b007b8f35590aae140b480ba6e8c532c24c6be78d9fafb89c897c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1b3f4c5d2558f2d2c60523527911c7ae

SHA1
55ab5e9f66e997556ff783f0527a9049846d2624

SHA256
c7341d7d789daf87d3f008655547214b2c3ad53115051e17f2fd1948f3880379

SHA512
dd3e8fbda1f7f19a1d294cdcd84a16d8aa53398f9fdac5e5580e93057fd596f9a77ca15eaecbc0efff3ce9a5759a054c4795ec986b3f08e2098e4cc20ed5d900

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
42630678ea062f8414383fa654296cf6

SHA1
c13a3c07ae8e3301c64fc4c5d8108f41279c7c55

SHA256
8eb69328b1f39e5e2b6c45c25a47241d31e36560f50c3e646a078af2f82daa47

SHA512
17fa27b00dac2df30b18322dbc0a26deff87d32098d9f6d1c332c18046c24dc550065851afa7295d30bfb464614335be8a09698d4a51aa7aeb4cdc7f9e5bb2ee

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
501b91e08765f23a60f29681daf433eb

SHA1
c99a258cc50328fb076760eccf4345a38e693b4e

SHA256
0dbb1e1b5efe9db8741d82db4f76aa496789e4547af94e6d46a9b1c626a00e28

SHA512
17e8a13f4bee60cce2af71d0de6d8fcd8065db9173e0898a8edffb27a645c89417d02309a97b513b89b2ed48045ad4adb791dec4270b061e8dc816e51198bd98

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
08f4b2e994f580ec4506c68575e62d29

SHA1
6e2070d24839d49550367fcdb8e0b9df16c05b52

SHA256
fa4a11d052cea7c7ceb9b21da4fa2b4092553e869ef0674fe55842abbc186135

SHA512
8225cc4a75dc69b92cb420fc805c72b8640cbedfeffad07581ba19e34607fda43c59d8c0642faeefa93c1a0a80a32e30b702b508a35b6261d1ce04be8d50ee4b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d6aa029f57a2cf42d72eb8439017dc06

SHA1
e4675f1bd06f58233c229f613436af4ccddce2b1

SHA256
8ee59414dccbe34d61ce2c02057c41057481a71302ab1216f000a692d847679a

SHA512
2008b0dfaab2bdbe131dee01ef2212e16210694f68aefded3e104e3c2c889069691ba1bd5216d6ff79c7457d6bca45e0fb4b04860acb48c2672a6fef655f3746

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4f944fd7ccb4b64f3ae26eac37cae5da

SHA1
ecacac0101c4cefa8ee3719c7086a92927aa7488

SHA256
d70f5ba8a02c83fdbd749d9a7ed3398dfc6170b19d0df9e224e74f4838ac6962

SHA512
496bf007a282c37d305133cc9c03f189d5e46d84511ad765cd67b1eb81f62f7cf0842411df14d0b95cc0c5a2eeda31669479ae477d096d86a24fb08115402512

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0edc4402477a89b38b146de099bcf667

SHA1
ee3c059e0e43f5885d58117aeadce5caf97811d8

SHA256
27d00e52857b07adb201cf0ffb811f46d2879c604c7ddb23f701d17f140b898c

SHA512
4be660e470e104a3492ce3831368c564b46c6d110aa4bc21eea0888fe4bdc8ec72fe323d798c71c59b7c3aef4d729aba2eaa9f92d3d9fd179b0081f571ff04e0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8321f7786112d392845b504cf40defb8

SHA1
e62d34592af1e380fbda1476dc40f35355c44614

SHA256
9d3b0ba1f6f31f9f586f236171f41c5000146ca26654a89813c4d8eba36cb20d

SHA512
ec595c1e374e3755d0f10f57871529d21257bfde1447e1b2b4f135669ae876e1caa94d983514c651121eb5a15078e107d971973c638fb0268f5f532cb000e11c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
275e4313e688c7a6f7ef1e8064f3cc66

SHA1
9c8e0f595ed55d308c4314de57fab51e891d03b4

SHA256
c64b93642b0de6f2f3a51e3dced59047bcb065764a0e30deaedcd71746041974

SHA512
79ae85f4d92609670ad0e21c842c1f772c50a7d6cfdab43364cd21113379efc324cfab8810cfb58e2799b037f7d585fb52f9d9217a5b7c2939c9c115a9644d75

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ec8b83043402bccf0f872d21976501de

SHA1
a9b860a2ce74470c840a1e945e2cac2b48dfad58

SHA256
f3530958cfc001d47b2f3dbeb7948af8688aa8ca3b5fe9b87269462c27da7f6f

SHA512
e786959058c6ebf32844cf353fb261931c18aa7f85d8d5ce436a037ed3cdaa50f44df26b5b88dd3d6d226b94f51a06aecb7e364365454e8aa1428a453e5daba8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6f76decd2fa24fc0983487e4ca21a902

SHA1
6ff6fd273f075095205e1e502671f35184937c56

SHA256
9f3cefb9d9cf41d9a62e81773586cd35904e5a3a7229910367fbfa54a80ff9c9

SHA512
b41d5e8e7f8ffb0ff08f9f5dd6e22b2e790cb02743bc1d593cd25872c1ac802f6aac0f33e41e7f06ddc23296e038471dc67b2009663f66b8f12038d6babedc28

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/280-102-0x0000000000000000-mapping.dmp

Download
memory/316-132-0x0000000000000000-mapping.dmp

Download
memory/768-117-0x0000000000000000-mapping.dmp

Download
memory/784-61-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/948-127-0x0000000000000000-mapping.dmp

Download
memory/1056-152-0x0000000000000000-mapping.dmp

Download
memory/1072-147-0x0000000000000000-mapping.dmp

Download
memory/1120-67-0x0000000000000000-mapping.dmp

Download
memory/1508-112-0x0000000000000000-mapping.dmp

Download
memory/1508-60-0x0000000000000000-mapping.dmp

Download
memory/1524-97-0x0000000000000000-mapping.dmp

Download
memory/1548-137-0x0000000000000000-mapping.dmp

Download
memory/1588-87-0x0000000000000000-mapping.dmp

Download
memory/1620-77-0x0000000000000000-mapping.dmp

Download
memory/1620-142-0x0000000000000000-mapping.dmp

Download
memory/1688-167-0x0000000000000000-mapping.dmp

Download
memory/1712-62-0x0000000000000000-mapping.dmp

Download
memory/1732-92-0x0000000000000000-mapping.dmp

Download
memory/1880-72-0x0000000000000000-mapping.dmp

Download
memory/1896-82-0x0000000000000000-mapping.dmp

Download
memory/1920-157-0x0000000000000000-mapping.dmp

Download
memory/1924-122-0x0000000000000000-mapping.dmp

Download
memory/2028-162-0x0000000000000000-mapping.dmp

Download
memory/2044-107-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 784 wrote to memory of 1508	784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	reg.exe
PID 784 wrote to memory of 1508	784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	reg.exe
PID 784 wrote to memory of 1508	784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	reg.exe
PID 784 wrote to memory of 1508	784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	reg.exe
PID 784 wrote to memory of 1712	784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 784 wrote to memory of 1712	784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 784 wrote to memory of 1712	784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 784 wrote to memory of 1712	784	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1712 wrote to memory of 1120	1712	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1712 wrote to memory of 1120	1712	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1712 wrote to memory of 1120	1712	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1712 wrote to memory of 1120	1712	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1120 wrote to memory of 1880	1120	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1120 wrote to memory of 1880	1120	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1120 wrote to memory of 1880	1120	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1120 wrote to memory of 1880	1120	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1880 wrote to memory of 1620	1880	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1880 wrote to memory of 1620	1880	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1880 wrote to memory of 1620	1880	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1880 wrote to memory of 1620	1880	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1620 wrote to memory of 1896	1620	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1620 wrote to memory of 1896	1620	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1620 wrote to memory of 1896	1620	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1620 wrote to memory of 1896	1620	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1896 wrote to memory of 1588	1896	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1896 wrote to memory of 1588	1896	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1896 wrote to memory of 1588	1896	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1896 wrote to memory of 1588	1896	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1588 wrote to memory of 1732	1588	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1588 wrote to memory of 1732	1588	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1588 wrote to memory of 1732	1588	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1588 wrote to memory of 1732	1588	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1732 wrote to memory of 1524	1732	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1732 wrote to memory of 1524	1732	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1732 wrote to memory of 1524	1732	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1732 wrote to memory of 1524	1732	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1524 wrote to memory of 280	1524	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1524 wrote to memory of 280	1524	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1524 wrote to memory of 280	1524	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1524 wrote to memory of 280	1524	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 280 wrote to memory of 2044	280	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 280 wrote to memory of 2044	280	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 280 wrote to memory of 2044	280	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 280 wrote to memory of 2044	280	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 2044 wrote to memory of 1508	2044	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 2044 wrote to memory of 1508	2044	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 2044 wrote to memory of 1508	2044	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 2044 wrote to memory of 1508	2044	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1508 wrote to memory of 768	1508	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1508 wrote to memory of 768	1508	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1508 wrote to memory of 768	1508	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1508 wrote to memory of 768	1508	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 768 wrote to memory of 1924	768	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 768 wrote to memory of 1924	768	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 768 wrote to memory of 1924	768	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 768 wrote to memory of 1924	768	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1924 wrote to memory of 948	1924	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1924 wrote to memory of 948	1924	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1924 wrote to memory of 948	1924	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 1924 wrote to memory of 948	1924	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 948 wrote to memory of 316	948	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 948 wrote to memory of 316	948	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 948 wrote to memory of 316	948	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe
PID 948 wrote to memory of 316	948	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe	92b3c5d9c17dd195eade7f25105b19f94ca0981e3354ae07007d2301a68d310a.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads