a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Size

643KB
MD5

963f1309199615322d727f1439aef5cc
SHA1

04e53b689c909a344236c455c938dea5fa5f4e18
SHA256

a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d
SHA512

e8d017683ef40c77142469e27fc8daf8c09fb278a9ce826ae71e765e087dde8162ea0127ddf6426eb2c96a44aecc40984e07ed497770aef79ab179d3fa9df2d3

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

Modifies system executable filetype association 2 TTPs 23 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exea0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

Drops file in Drivers directory 46 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\G:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\K:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\M:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\O:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\M:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\E:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\H:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\U:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\R:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\R:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\H:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\F:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\T:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\I:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\V:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\L:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\S:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\O:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\R:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\X:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\J:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\X:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\S:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\H:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\K:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\H:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\X:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\X:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\K:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\I:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\L:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\Q:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\L:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\O:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\G:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\W:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\X:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\S:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\P:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\N:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\I:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\P:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\O:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\K:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\H:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\R:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\H:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\L:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\G:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\N:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\X:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\K:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\J:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\S:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\M:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\M:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\V:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\E:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\G:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\P:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\X:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\L:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\S:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
File opened (read-only)	\??\V:	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

Modifies registry class 23 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pid	process
1748	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1440	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
924	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1744	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1768	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1460	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1832	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1636	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1724	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
908	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1932	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1532	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1536	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1600	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
816	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1468	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1988	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1800	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
924	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1744	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
1336	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
"C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:924

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
C:\Users\Admin\AppData\Local\Temp\a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1336

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a11827feb23f35304dd5dca3c3d62f0b

SHA1
6fc7bfbe7f0fc6be73d36a83d11811a4c6fdd4ff

SHA256
a18bc2802de6cd42ea41de62204727e49ab2b3d9b5c58c37aca499ffca656547

SHA512
ad7291aa0a965d9661cf9a510bf13135ce8707fbd8159f067fae76cc036695091c633a1b41bb6c6446b79889789699270b7309a2b4479bd6a2b60f91864270dd

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
443b080081971291858d45eb3cd78246

SHA1
26ad6524b18529854e68b12ef35f2016e1efad57

SHA256
ae96912856ab808d4508be89afb71c04e60c4dd7556b9a059f15c3407e3fd7cc

SHA512
0fdac78a24d6a519f5b2ce6bc4827c853cb780c9a2592676eac743ddf3ed1a61cb1838fe1520051a1a6c3ed8cf5405ca9c2c471ba92528f84a10de449f4a4f1b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7914d34709625fca96739b9a12feb54c

SHA1
40b59580dd13addbffc93e926fc827de850c81bd

SHA256
2a52db4c988e8823f9bd730c959ceb95c9c4f968be4901cfd4a118e279d921db

SHA512
f7bd9b76ee963a6450863128c74d57b08201ec80f183d41d0c6551ddb873d53307aca1d80fa12d8788787c82a005723e06f5874dcbcd799aa2f8dc895c975013

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fbd0b66ed4f89e0296eec1b16a3f9fae

SHA1
aff002b0f65afb9268b9a0300892abbb601d5a2e

SHA256
7c931e74579158ed86ec0deca91765ec3dd2be81bbc307d537d0b940713d2681

SHA512
6fd5f794815e3ce49b429de9b09c645dab7db9f9b7c0ec5c036be873194571dce03da78c596db0f4d16c10db12a02aa24db9181beaefeee0d9cc4141f84243c7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a24681b2f810d68430dcd6c985e9789d

SHA1
ffe1177ed17bc55a5c367ab2673f9105cb0986ba

SHA256
edebdbdf1e404c7e421b92981d98aab006113913cd9d867da88a3398f42ed3f3

SHA512
fd164d76bc0d8872b93792a8e87927868fb2e22be1406705024154f47be47a22c10aa07f73b43329485f5257c4878188044f6025b0b1fba4d5c5cf67ba8d4a03

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b5d12d8706765c683981ec38ab26b052

SHA1
6a6d4ed4db5124e54723282b3652a29daab66d5a

SHA256
e25be8fa583ccc8acc1c9f250549683c60dbed062f669a6043672fcd23062d78

SHA512
8647fe636610cd8251440fbbf45e887874a112bbe82af4a89717826aeb3a00ad240b0fce1db771f0aeedeeaec3af3a8f612e3ef9c76cbf4a326094db734e14e2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
61e84e7145e875107a1616a52da45cef

SHA1
3a8807824de65eed9fff371d2ea235fea0e116b4

SHA256
ef2871d52f8ee68bc20025f87cbb2aac80e67b7b73ef83b6e8ba807b3b897400

SHA512
126a9c5f2451315d751af3c4168be99080fa2e4794bdc53b7b533587eb37d951bb6806880bab8f960a355c3922613df22ab7cf5c785c808c244d25429010b9ea

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
937aa7d700e9e83cf3b88fca4c06aef7

SHA1
a9b52b3cbe000c28cb3ed90fabb46600761218c1

SHA256
fcc51b9f12cf3a4981f5eaa023ab68db99f682d6e926c45a247f7d39c1647d92

SHA512
55d5ec87b70bf50279667117e6853b3bed91bca6e047b88a0ea26c1be43781badce3ff6d8231a20f28b19676f503f3ce793a7e7ad86d7069d4663b00d4345986

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b9a54e50b427873e01df8ca4fbeb20e6

SHA1
cd042140da611cabb4796d4c3695dfa63309945b

SHA256
d7e85821f1d5ad0149e30f524e57ea8f6929630816ba6052ab20ae41a68126bb

SHA512
58a54cbcc55547a4cca46de2ef7383c8b8b9378527b4418b1ded79552fa1febb9c20d0d35c8780f484373dd49ccc2c99ab93ee92bb5731d5aed5512ed2b7affe

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a0bde441812728e64f53f8696df436e8

SHA1
1693649d28b54aee4d3b9def5d2ab55cb91a3651

SHA256
b9daacada9f1081555bdc839b24d99f3e0df068d704e6e7de19bcc5898bfca54

SHA512
5ed68d9b7f0ce66260754bd0b6db7b652b4273bb3d9afaf125f9cd1be4643872a2b55d2791dee574458978040571760d1b76d225b56088f35dddcbb21a16f63a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0a1c479cdcecb087d5bb74251ae13bf6

SHA1
9506eb9f91db65a429387d800922de820db4910d

SHA256
0c728bc5447cef99b819c2c61733e8ad8702157afe876996fdd8ccb02218ef14

SHA512
1f720e6768d3a38dae87f7837883622b7474c1a4f90482dcba02350cb56800b5c39ec4d1e9b8f4b09fc916206e6f56feb58cff60dda0c8740373646470a182d8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3fb9d2a6f126d0084b6c7036555c66d3

SHA1
70eb2240453bc0c4d03457219538ac4eeb5ca770

SHA256
2cccdde8c86583e9d706d368f67d9a24034de97f3f6ce28e92da5f5fcb075822

SHA512
f2d7cd5365505f4dd29e5a718a40851e1757125fd50c90d3c0374fcbdec6bf3905a9286249f9ad376706f88435f11c7565daccda14b8b55409a92f513d4f426b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1c31096ac173dcc38491e10bf2810184

SHA1
033edd15af1cb687f5a0df5f4ad10c7c9c8a2271

SHA256
acc9f13beccbd5ffb0081e7e490b4f428bb2df827b0ac31786f0d71be60060b3

SHA512
128c1ef91e3db781fe7a094e582b58e0aa793fb50cfe598338838e126efe6d17a0a6acc88a81cd2dccf98e34a2ca29b38fb02ca4b16e26927b744659bb1de6b6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5a6ba09bc05635be6df3441f47c8824c

SHA1
fa98e106d6cc165fa087d65cac330c6b69a0aaa0

SHA256
3c0f5229e68a6f9dbb1bb390464e01ac89c33235c40997e105d8dba9cfb49fd8

SHA512
a3e8ae577ed60d8ef43d51a1a6097bc5cb936a5c17bdb1359e4dfa383cec28a0ec5dbbca2109596775f1765bfb15aae1067770a510a497a4a5ac30925767f65b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9a58768dba575e4a27c119b817b7c716

SHA1
af8e5c32bdc903c9f52b00f3ac79b3794d244764

SHA256
6102df76aefbb65622456a1eb1068c30e41451c87fadc89ece559fd987cc9f76

SHA512
924562d0d4203a27dbb7a292b272e654999bc4efa5495d53f9868c17ed6dbc6abb2456b03bc9c781dda8b4e77c2ed8e7c231d5e4e031e8a29034793ee760ce9c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e7ac6b2d487790360aebbf275cfcdd5c

SHA1
64c20bd348e55d4589868a8e380f4542ea5eeef0

SHA256
b0473543f3ddec157795d0fcd35a65ca2ac09b746acd1f28c6fd7b95815c0028

SHA512
1157cc3bd36bf0f66c065e647a24666485b76ba21d69b11b682ee26ed08249fc5e42685d8e0493c7bc40884a8db51ce2c71973bb9ec56033ca679b926cf73074

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1e7b6a5d875bfa3183fad298daa33852

SHA1
ffaeb037f74056771d4d5cba28b9ccf7972089e4

SHA256
270dfba8397147b37f40f9d447e6d530fcbc91fd2941d5f32bf9759ec63cd45e

SHA512
0d78f273f8948e09ebcc576ca7d60ddf64419110d33bef4b0bcbe272d03190754278f6041061d2775bc5d9b76f32f22cd4ac2399e13a8a177e2b116e433fbb62

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
378f19782c61e2258cec17a346201150

SHA1
070b042922d19777af2fe4dd14c32d9d5c7096b8

SHA256
f5dd122c0b707089efa486278bf3a49a5274e6f2f29f9cc3ed3bc3d49fcfb141

SHA512
9499d12d0627310bfcd3542907f7b955e971ef420d8f3ca4617e464cae6d3d2e11d85930cd95aee1303eed377908565851e6068430fcc1e6893ae14f8174a8f1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
df3c150cf7a2e88d2e6736de42ea7064

SHA1
8a406732a9a5d26fe152434a8fbae4fa403ed2a4

SHA256
0053466cad1af5141f776d79c69034407f3bae63cd2d57b5d6ec890e9f954b7b

SHA512
8ea750131e0fe8f2d9c829a20d137efcbd2f9a8d9697a252f87bde6c8f14699b72308233789a8295fa387fa6f0a3ab64800ae49f224e3e8560432334c9c76bbf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5db2f5f848f7e5460a1cb709512ebed5

SHA1
9a35d149ffd825775e9c87b9b2e245c8b3d1ce45

SHA256
47e2d774ec1329fbe0f3d974036a75aa31858c2fc777850d458c8254e1dddd23

SHA512
f2f8d1d773efc8f05570f8d121e5c975f5821c4b59ae4909e0f7a6dd40d1342cc8d40683e2e1230248a5f9d0894057bc2ccdd307a84d9da22975ba5c1f1dcda6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
483b9794441a1f0083ffff600f4c94b0

SHA1
acaffedb04e2b72d6e265154846063fea226d0d1

SHA256
e32d7d2fb5017684d9d72df9c83d744c1b5643ea05f3295715fb66de4bd5efd3

SHA512
08da2281bfa8eb4671db24d37df0f055c0e330beecfb00b2ca03c3d66186f2d472aa49de3d912980d406accd1d954e35a4d676103687e013575bc62d4be1dad0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fb5927525fdd272447b99daae667595a

SHA1
addd16576fad087495899bc1dac07ff3be5f470a

SHA256
9e35f5d78fd719bd6b58120ac0986e2ea6a2893e6708cf757d6e99f556c81dcc

SHA512
d751d1e466099ae1b91e6b4d5a7ac9f09304466b860375cd83348756021ef90bfdd79f290e6bfe3370ad34f37312c6e3e355c1bfd37dd8021c0ada0e5d4bce32

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
70ba3909efd1b62037c0d63670e8d5ee

SHA1
02c127f1ea352b58562f892e20be75ad27d6d830

SHA256
547462b7478b9c0dea665993793d0ac1ed9cdc879d32e3161c079e63074350ec

SHA512
b142fe2c7b7a0062df7ddad9d4987b795a221c46019daf181ff977a9313a5389b4aee6125de4033427f454df4af203915c91b0bb6ad85fdde7688a3dd7d1c7b3

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/816-136-0x0000000000000000-mapping.dmp

Download
memory/908-111-0x0000000000000000-mapping.dmp

Download
memory/924-156-0x0000000000000000-mapping.dmp

Download
memory/924-71-0x0000000000000000-mapping.dmp

Download
memory/1336-166-0x0000000000000000-mapping.dmp

Download
memory/1440-61-0x0000000000000000-mapping.dmp

Download
memory/1460-86-0x0000000000000000-mapping.dmp

Download
memory/1468-141-0x0000000000000000-mapping.dmp

Download
memory/1512-96-0x0000000000000000-mapping.dmp

Download
memory/1512-66-0x0000000000000000-mapping.dmp

Download
memory/1532-121-0x0000000000000000-mapping.dmp

Download
memory/1536-126-0x0000000000000000-mapping.dmp

Download
memory/1600-131-0x0000000000000000-mapping.dmp

Download
memory/1636-101-0x0000000000000000-mapping.dmp

Download
memory/1724-106-0x0000000000000000-mapping.dmp

Download
memory/1744-161-0x0000000000000000-mapping.dmp

Download
memory/1744-76-0x0000000000000000-mapping.dmp

Download
memory/1748-60-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1764-59-0x0000000000000000-mapping.dmp

Download
memory/1768-81-0x0000000000000000-mapping.dmp

Download
memory/1800-151-0x0000000000000000-mapping.dmp

Download
memory/1832-91-0x0000000000000000-mapping.dmp

Download
memory/1932-116-0x0000000000000000-mapping.dmp

Download
memory/1988-146-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1748 wrote to memory of 1764	1748	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	reg.exe
PID 1748 wrote to memory of 1764	1748	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	reg.exe
PID 1748 wrote to memory of 1764	1748	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	reg.exe
PID 1748 wrote to memory of 1764	1748	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	reg.exe
PID 1748 wrote to memory of 1440	1748	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1748 wrote to memory of 1440	1748	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1748 wrote to memory of 1440	1748	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1748 wrote to memory of 1440	1748	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1440 wrote to memory of 1512	1440	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1440 wrote to memory of 1512	1440	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1440 wrote to memory of 1512	1440	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1440 wrote to memory of 1512	1440	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1512 wrote to memory of 924	1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1512 wrote to memory of 924	1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1512 wrote to memory of 924	1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1512 wrote to memory of 924	1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 924 wrote to memory of 1744	924	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 924 wrote to memory of 1744	924	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 924 wrote to memory of 1744	924	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 924 wrote to memory of 1744	924	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1744 wrote to memory of 1768	1744	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1744 wrote to memory of 1768	1744	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1744 wrote to memory of 1768	1744	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1744 wrote to memory of 1768	1744	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1768 wrote to memory of 1460	1768	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1768 wrote to memory of 1460	1768	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1768 wrote to memory of 1460	1768	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1768 wrote to memory of 1460	1768	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1460 wrote to memory of 1832	1460	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1460 wrote to memory of 1832	1460	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1460 wrote to memory of 1832	1460	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1460 wrote to memory of 1832	1460	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1832 wrote to memory of 1512	1832	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1832 wrote to memory of 1512	1832	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1832 wrote to memory of 1512	1832	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1832 wrote to memory of 1512	1832	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1512 wrote to memory of 1636	1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1512 wrote to memory of 1636	1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1512 wrote to memory of 1636	1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1512 wrote to memory of 1636	1512	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1636 wrote to memory of 1724	1636	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1636 wrote to memory of 1724	1636	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1636 wrote to memory of 1724	1636	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1636 wrote to memory of 1724	1636	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1724 wrote to memory of 908	1724	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1724 wrote to memory of 908	1724	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1724 wrote to memory of 908	1724	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1724 wrote to memory of 908	1724	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 908 wrote to memory of 1932	908	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 908 wrote to memory of 1932	908	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 908 wrote to memory of 1932	908	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 908 wrote to memory of 1932	908	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1932 wrote to memory of 1532	1932	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1932 wrote to memory of 1532	1932	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1932 wrote to memory of 1532	1932	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1932 wrote to memory of 1532	1932	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1532 wrote to memory of 1536	1532	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1532 wrote to memory of 1536	1532	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1532 wrote to memory of 1536	1532	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1532 wrote to memory of 1536	1532	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1536 wrote to memory of 1600	1536	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1536 wrote to memory of 1600	1536	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1536 wrote to memory of 1600	1536	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe
PID 1536 wrote to memory of 1600	1536	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe	a0599336cb5861d9aab6a544ab05399c9c842eb0db071b53f2149fb5f971272d.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads