fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1

Analysis

max time kernel
148s
max time network
183s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Size

161KB
MD5

427aa518b17bac4f95e2bee7085fc770
SHA1

34dadc42b1ad8861dd2067e5912953f2eefa6d19
SHA256

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1
SHA512

275a60c6cbeded188b039c6f9928cab43121d5785088a3339fd475269b3bb2a570e052f80ae2473b569f8fba3f8ef71b1b27b69cfaf4e4ca28110120b7cdc286

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Modifies system executable filetype association 2 TTPs 21 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Drops file in Drivers directory 44 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\Q:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\X:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\H:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\E:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\X:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\Q:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\K:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\S:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\Q:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\X:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\S:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\W:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\I:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\I:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\J:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\Q:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\S:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\T:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\M:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\H:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\U:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\H:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\I:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\L:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\E:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\O:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\R:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\I:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\J:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\J:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\K:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\O:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\H:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\L:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\Q:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\W:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\X:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\K:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\R:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\I:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\N:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\P:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\W:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\K:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\M:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\O:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\M:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\P:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\G:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\L:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\M:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\P:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Modifies registry class 21 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

pid	process
2012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1476	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1764	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
880	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1804	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
908	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1864	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1064	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1456	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1620	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
664	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1784	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1144	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1652	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2032	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1668	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
556	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
"C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:556

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
22⤵
- Drops file in Drivers directory
PID:2020

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
dc299655d48fe4672caf4bffe386e2ca

SHA1
538c18f011fe056a538f4954c024917373002a5b

SHA256
f9e7684ade6e45d29b597e4185bf840302a4f902d67fe134a4326bd9fea4388c

SHA512
0cc15a352cfe14903330ef22c0ed7ea931040f0c409145c85330b7775b8ca8e27091b67871c443bd9e2506978f31e5c52edb7ea620943284d6c2d462ec9ba7c6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
94dae205ffcdda3495ee31bdd02788f8

SHA1
2cbe39504f237d1dcd1d1fbe65ac3157da5ead24

SHA256
2b93507397ff2216cd8291c7ec1ffa18ec20a0ef29b0679213eb5fbe45765757

SHA512
4bcd60d939db234af413d1fbaf8ef5dd96995e87c9bf8b14b8bca607341474021357ef73033f6787ee0835a8b08b3ffc63abd947a42614eb97580d3f6a8bafb8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
296f71b002466447b19d5f468d21bf32

SHA1
f45664d56868819b006e20991d72e5eed0977652

SHA256
f9757441b82e50acc19e1f940f22b6839ea46d76cd80435278e34ff8fe316dfd

SHA512
2b888baef120965dda1186f448d531212374a990c4ea26dfd1220992444449fcb6ee3400e003835d2d7872b9b347bf93e820ba6a9a618573eaa1c73ef0e0db27

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
540442712622dd8f011d1f42c420a925

SHA1
573a7b10fd784fe2d4a55fecf6606dbe59a241f8

SHA256
599a53a0a48e08dcb859cc6c8a6c13013a93b6e76925df371aae1d3f0718afe6

SHA512
930ed206af6ec8cd04ee355ad02953117c68d3c2c10579c54875fb5e88bce585f7d27fcbe9f876691e1610284acc23e81e8fd079e2c6a9441877b6518990ea05

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6476b54e52fe8a9ab10ca37df1aa8c71

SHA1
fcc6510d075528103086c6aecc0e568e448b2047

SHA256
8dfe314d896473ef14b9e8f0a3a8280bbeba23ca32ca55aa7c9978a234994695

SHA512
2c59b069e99d0b6ec092dfd066e55237340a6fbb2d2d455cb9864e5044d122d22a6df8260ea20f5df03c31f5198474af679c921b6ecdc928871ca99aecb9f5b4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
15dda5f09e10e53e108dd860584e33ee

SHA1
fb4f14a4acc38373489ddff5c8236a8c9051d17d

SHA256
bb777a67fc2efa0f32726ec3330453f4d367dbab32af7e1687cf3664c2a400c4

SHA512
82369e9a2522a86a1716f0a5a5b71d242bc0752dd6e39e610fec7238af40279359f8b88b61258fe22f5b1c5ad3374e3d49d02d4707972d8d9dbc5e8941a6680f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
62feada0db0c0889bf1f4de886756284

SHA1
79a23ed6b6e0879f2db566db53c018499b7b3e5a

SHA256
3bc7fc14b550805fdba2b811b9558ddef061f11fa158bc490164042c296c7f89

SHA512
e536d2aa019849a5e9c608b31eb1343fe12be93ca703fc003914fc1a178c7efc128cd9f9ace85d36387e12f766c83fc3a6a67b89cf9df5d8c0a79fd9b4d8dcca

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
3caa26b9361a838e58b9959104c97da9

SHA1
bec4a5d538b12e464cdd62d457823084dde8b807

SHA256
37b12f9f8e617a971a48049352f37c38ef55785288669e47b498d98f82e1bb03

SHA512
ddfd74eb51a9a01b6817749d56546d5152e0cd9971e90da4ccae21b8162f32733d13091ec8c67a667120bd08dc889b4c63db9046283a5a2a08085cebc669f887

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a1ffbbb363b72ac77d40a860b023d2ef

SHA1
21de14e8701d577afe9a61b332f4727a997c3e6c

SHA256
245aba8c7d5d813eb860bc6fad3b3cf0bd514f9dd480daf0d35319e4a02d5ff7

SHA512
89569feca404b51383720dc1ed90c1f88e8fe798689295536dfc92946c605779141adc55f250e54e126aaa4238a9c21aa814f800a070fdab82645bf1691e74da

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
51656802da0ed49284eca7c64dce018c

SHA1
2e14bc7ab198a15bfbceab5806143c0c845ebca0

SHA256
edcd07b122f90175d50e4676bd9661cd58fb038c1969a42cf258dfb97b26f5ed

SHA512
26ac575644b8dc80b05c457e846bf2bdc3397d91e2fab096830867e45fa17acdbdef10070459a77611bd00925acd9075fb79a053feda1758aa435c0b6fc8bfa7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f9b8ba2c5e088f76256ea64ed6af43bf

SHA1
b8ad4193e43db3b9f3792332157348b0f9bcf132

SHA256
ba818375cecb83fe049a70239b5412012bdcc0b29ecd6d0aeedea9dbee236e77

SHA512
42996921e5ee7cb685b9a3508507f6c4a956e06383c0673e5de5752b488d11ed6558280d8f10d251a1f6b2106e68538743fa00ff020964a05c4c694add70811d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
57627ba1121c1d430849fa7bde1e8135

SHA1
a4bef64f68a6f7beb48d24395f94cee6e325ce42

SHA256
19bd7c12afe007334e3f3ebd323e3645b8d793f2f184655ea91d1fa8bd720c32

SHA512
a9e33722ca563cb85b3be75ed299732c3579f36309b709c9a7d09b92bb361c46321835f05ec9a9dc5f6e8999864fde8b9a6aacac97d9979dabf1c30b7fe95633

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e62ff1693de9868ddf5fbc34d8c33ba7

SHA1
010b7ea8dd8bcbdb178d3ed0a0dfcc1e5485ee96

SHA256
e7998ad6d7088e145cf927dee45bd342b069fbea21e2a7a3aef3d23b165a94db

SHA512
d87cea6c58aa6af4740f7c0fe1d8b3c749ac6ea69f1e2f13385285a24b05bb9f197869f58b489c472af7f2a35e3215a0ec2ac82b6e639773873016729146bcf7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0ebbac3e8b2fe8b16524a15e38b3b5e6

SHA1
a50ec3511487950c8732156e0c15119ef407fe77

SHA256
89933f7363a5450cff9b0480ea5bb5aa42bca706cc36a3bd24a99eaff7bdf26e

SHA512
8fcb2a46f2ea4cc6c832431aa8999e1bed294e5ca4b4588299a360c246a2e42fa66a520dd3d6bdc96e4a22999f42e3b6e1a4e7be8b46136b7cc9e9832122d294

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
735bb31d2ac58048015171b4b84e7ee9

SHA1
178957cd279aed376990906b61ecc11f93afeaf8

SHA256
635154c1d1f1fe55d3f182a9159cdf9144f372c6c6ae56847fb144113dfd5180

SHA512
207bd5afb82880b2ef511e0d4667c843f7068100ec3981240609b60cd2be370bf1dc7f174b31fbcfe61c522533d44ec8bd0518682d7f78a9b5c7833de28572cc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c8b03bc1ba6109614f71a8ff1740231a

SHA1
85684704be29f2959e2e335ee2f64215ea170bc9

SHA256
86a091cfaf725f385d349a7a1abe5ffeeac2b94dfa7ebd9bbb6752d9592aa85e

SHA512
6ce37bcb1d95ce67354cfc01ebc2d829c958875e73afb1dd37322d2af213b30e07ee60e1abb2b9b9f3a7d97e0f09e8dbdccb8dcc333ce9d1a58c1d8933c7c95e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b6d65699d129ba1850dc861a48be1435

SHA1
79a8cde509f508d6f0f3c48162fa670edb5930b1

SHA256
dc3a3293856780bdd97eeeb9c840a71b906ae23b3ff8ba66d5117508bb35f686

SHA512
9c43341ce5da7122e95459abf27eb2c8a1cddc564320b26ef69ec480a2d5ec5dc1f8fa5aca18dc6e7ffe0cf0a32688c16022b2441132d24215738f70041b82af

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
818e907aa5068964432ed891fcf4920a

SHA1
071264bfcd8a06ac094f0db3ed8643ea996c38bd

SHA256
a1107cdb91f12557ae0a7050d05046fa5cdc08845a8324c07a64bdb0f841b60e

SHA512
8f99f9762d0a348b5b2532a59329a9557815654173044a161fbc598465fb89912f835edf7e6a077b8f457aae31135709e616ff840caba804baecd9dfce555006

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
69f37c830cdd7a78cf52e7e7c7a7ee1a

SHA1
caeca90b1ea21e7516c0add3adfae512be930595

SHA256
f0493f1a562ea19dc3148942d51bb337bb763a98f9b76020f4e51e38610536f0

SHA512
682f4174366edcb68788a57f896e1a029c5e2512b2d5bbca184d5dbbc4b8a61f34e1ad980a80ae1a4838a7bcabfbdec0d79a0351e72e5ccb131c103aab0041c4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a52b954bcd1baeb4a124e08d759edf6a

SHA1
cdf9eaf63c1cdde6ce1fdf900ecdf6709a12a13b

SHA256
fb638d7f0aa7530ba1330496277e8c19574c84e9f29a531fc8d3dc6d303c2f21

SHA512
97b25adfb7b0c74a3fd28a9e5c4f793dcddc8b28e8cd4c85760988ca5e7e75da7addc206424b63920f1036267e9d8a011347cd32f2c90e792e823c30fd3a17b5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
da2b8c76733cf433efb65bd60ac5daab

SHA1
7fe779312754e9a4b24c8ce872e58b44faa9b7fb

SHA256
66b022c76fdfecdb01645ae31f0adad157336299f074649b5868810c18f2d5ec

SHA512
e34a141cf5101b7255bdebb01a153840a5cb3a1e47cfa9363885671a00615059900d4c26d794ca92b24f18fbc593ca04dc82bfdbce33e7754b67bd805441773f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4bc64e1e327b2f630028bfb88f53dc79

SHA1
0b3fdbf14d3ecac0deb61cb9a951fe7f7f5030e8

SHA256
4d5f0d891a186f44ce4626356a664c8d3a35d5fd93acb9f204877e3053274695

SHA512
893aae41321209574a76ee8a02d1c75c493ecb0c6369628d396e697ea4ad24345aa8652d68f10cc7690485aed415562c34a7512f0915de893b11bcb64c507b8f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4c07bb100cc6acb9d1dbda692d740557

SHA1
d894c1c5ee75ad8d0884a46ba5040462602df622

SHA256
3607ac7af0f8d577f24a824c2ef14aecdaf7a91903cdb82dd94410adf4941b16

SHA512
1454c1c449fc65d7fb873f6c89b1e9f2119b393137c48c953670315c70f6eff3e0a62bc3075f2ca4348f2babe3d0ae0324da0b1ca3fe5e9b0545808d95345b50

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b3656dfb6cfa58cd39c694affdeceaae

SHA1
267f13f8f17ddb3cd8088fa669df2cdb0d03036e

SHA256
66dbbcb256b7a2230004a24ffd416237416db9d187bd76f4ba35da01ffdef810

SHA512
e99228106df73bea6445dc882c8aba9cb349f3ae21d3befc615ad53dccb58b54eab2afee5dbedabc065b9f5de429fdfbfe5b7d88a806b4f9272970800c5ca5b6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
21cfa630ec25862f35154b237b1e2bd1

SHA1
8fbb01857c66e8e6f29d13effe599833bc26df42

SHA256
990a8757458f0baa0b5c9786fd06d28107c83ccb4129c1d0f8fdbd307dd87b51

SHA512
50c36b9234c1e2838e5796a033dacf3b6f0f97b909fcab1d830f34676333dd640a38dcff6d0dfde8ea344472716d2c42e35680fd7608d95ba1c99abd0b65974e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3abc943cea2e2def7d32e4de5817bb15

SHA1
e589f98e96b187f5f2bbd05731541fc1b2b3a9a3

SHA256
37dc9b34ac30779a204116431161acdc34965e2140436cc78aa59d0e96ec35f0

SHA512
25f6940b427c2560084421ae567d2318a238d1c4e7d48540e8f5147e743c3a2db32228aae76036b6f3339a14aa084f4b28bbfbb20b911c3db7f3285d2aa17657

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1109982b49bc90691ac21e1605997d81

SHA1
b6651582c909000a899441a0c1579f7ff66f3041

SHA256
56a9beace20c0836082aa309d04b3b93c2ca1170ff4732c75c94333d34082629

SHA512
1fe8897c735736139a764ceef0015e0d4d3f4067f7ca46307c83b57f849aa85331083d5165b19905c5938fc257c68078fc8cba81be337fe1eb377f807e301d30

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2c1e8ee1585e5522c75b64c6b18a4bc8

SHA1
877abb64f29948a1a4ef9624ab678a50f2efd3db

SHA256
066e08c230883c7fe81d37918a3335c4a73101ba45e4ed474ca2f632347772ca

SHA512
27c762f4f22af0edffd83f5bb582c2bd848023f001d3fd8c2bac0fc59acb5b3fe951279b1b2f2f459d4b7c83d1d9c05dd4a35bdaf0235ce127076e5c59a8db4f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6e6f77f1865c2b814fac0d9d1400597e

SHA1
0c4f891614c699eae72c5db77bb86e32829bc5ee

SHA256
322d5111e0b6f93aae53e0d3e550be46752207189b3e945bbce41b6733d86037

SHA512
f109bf08d7c4f3c2668b3d8b75c47e0cc566d3c41cd2be2418b90ed5efe5b3b4bf7c590b9ab8b451713bd515e24beb2017ae8cd1743b936e8fccf558b746cfc1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9c9f30db86ed12729890debe2b823b88

SHA1
0c59932d8745170c510de4373c5bedd30c56ba7e

SHA256
babf396ed9e6dfe34ef82e17db18c5da9cbd32af59d64202da5653477a4382a6

SHA512
81e861044f015407500bdc5857a3ee5e3f0d6c9e4de5ba7c7f86c1f6ad7c2341826e87af41d94b3677b64fd30e5f0f2ec405809818606211b657c028be6849a4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e9a6f79e2fb5d22463ff0a9a8ceb18cb

SHA1
5d52e1f3430ebf45bf8bd334799ae605cf6f990f

SHA256
12179c21085f8ce448c0f005a8b3a10f5f8bfd912d9ad250d87a6235d26a5b18

SHA512
bdd313595ff176a8f9500466b3b35e48d2d143574e885df382eed99669d38700fda5fcc7ca3624ec65283970661ef059aefc93379a95145c89488850cefc0ffd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a9a59bd8dbfbb868f769f796c1ca27f4

SHA1
3291166278d738e9351e0a64b6183399dace3c2d

SHA256
4bfa457c88488e2db9ce6b95fcc03f7f5e378534acfebc6c849c16af1f487895

SHA512
1bdd1ede242148e7e71b9f7b098dd01916aa5576bfb41ff718304c704d16457838956780336f194904bf8940ffb723ead69024dee47d0c16ad9c41de8bdcefa0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fc68605bd33a36f5cfdaf8b48f0fbdd4

SHA1
3f887d851fc904a5e61d0babffc3554434cc1aad

SHA256
202be8c45ec3f04a6c9260cd1eaa78fa414434363b7a0a790de8e1ecd869a4de

SHA512
9010eb7d37ccee82c1835c7deb6eb5b7ac11765563af421ec5e0c7ebbfb4da9205bcf5643410589ba3681462644a04b8e9fcd67d96d4d4133f2e04b400bba155

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/556-157-0x0000000000000000-mapping.dmp

Download
memory/636-122-0x0000000000000000-mapping.dmp

Download
memory/664-127-0x0000000000000000-mapping.dmp

Download
memory/880-72-0x0000000000000000-mapping.dmp

Download
memory/908-92-0x0000000000000000-mapping.dmp

Download
memory/952-82-0x0000000000000000-mapping.dmp

Download
memory/1012-117-0x0000000000000000-mapping.dmp

Download
memory/1064-102-0x0000000000000000-mapping.dmp

Download
memory/1144-137-0x0000000000000000-mapping.dmp

Download
memory/1456-107-0x0000000000000000-mapping.dmp

Download
memory/1476-62-0x0000000000000000-mapping.dmp

Download
memory/1592-87-0x0000000000000000-mapping.dmp

Download
memory/1620-60-0x0000000000000000-mapping.dmp

Download
memory/1620-112-0x0000000000000000-mapping.dmp

Download
memory/1652-142-0x0000000000000000-mapping.dmp

Download
memory/1668-152-0x0000000000000000-mapping.dmp

Download
memory/1764-67-0x0000000000000000-mapping.dmp

Download
memory/1784-132-0x0000000000000000-mapping.dmp

Download
memory/1804-77-0x0000000000000000-mapping.dmp

Download
memory/1864-97-0x0000000000000000-mapping.dmp

Download
memory/2012-61-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/2020-162-0x0000000000000000-mapping.dmp

Download
memory/2032-147-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2012 wrote to memory of 1620	2012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	reg.exe
PID 2012 wrote to memory of 1620	2012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	reg.exe
PID 2012 wrote to memory of 1620	2012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	reg.exe
PID 2012 wrote to memory of 1620	2012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	reg.exe
PID 2012 wrote to memory of 1476	2012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2012 wrote to memory of 1476	2012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2012 wrote to memory of 1476	2012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2012 wrote to memory of 1476	2012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1476 wrote to memory of 1764	1476	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1476 wrote to memory of 1764	1476	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1476 wrote to memory of 1764	1476	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1476 wrote to memory of 1764	1476	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1764 wrote to memory of 880	1764	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1764 wrote to memory of 880	1764	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1764 wrote to memory of 880	1764	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1764 wrote to memory of 880	1764	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 880 wrote to memory of 1804	880	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 880 wrote to memory of 1804	880	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 880 wrote to memory of 1804	880	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 880 wrote to memory of 1804	880	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1804 wrote to memory of 952	1804	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1804 wrote to memory of 952	1804	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1804 wrote to memory of 952	1804	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1804 wrote to memory of 952	1804	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 952 wrote to memory of 1592	952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 952 wrote to memory of 1592	952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 952 wrote to memory of 1592	952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 952 wrote to memory of 1592	952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1592 wrote to memory of 908	1592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1592 wrote to memory of 908	1592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1592 wrote to memory of 908	1592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1592 wrote to memory of 908	1592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 908 wrote to memory of 1864	908	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 908 wrote to memory of 1864	908	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 908 wrote to memory of 1864	908	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 908 wrote to memory of 1864	908	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1864 wrote to memory of 1064	1864	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1864 wrote to memory of 1064	1864	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1864 wrote to memory of 1064	1864	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1864 wrote to memory of 1064	1864	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1064 wrote to memory of 1456	1064	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1064 wrote to memory of 1456	1064	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1064 wrote to memory of 1456	1064	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1064 wrote to memory of 1456	1064	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1456 wrote to memory of 1620	1456	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1456 wrote to memory of 1620	1456	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1456 wrote to memory of 1620	1456	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1456 wrote to memory of 1620	1456	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1620 wrote to memory of 1012	1620	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1620 wrote to memory of 1012	1620	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1620 wrote to memory of 1012	1620	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1620 wrote to memory of 1012	1620	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1012 wrote to memory of 636	1012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1012 wrote to memory of 636	1012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1012 wrote to memory of 636	1012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1012 wrote to memory of 636	1012	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 636 wrote to memory of 664	636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 636 wrote to memory of 664	636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 636 wrote to memory of 664	636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 636 wrote to memory of 664	636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 664 wrote to memory of 1784	664	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 664 wrote to memory of 1784	664	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 664 wrote to memory of 1784	664	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 664 wrote to memory of 1784	664	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads