1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397

Analysis

max time kernel
154s
max time network
198s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Size

1.0MB
MD5

2600ef5b77e5353057f5b5f2bf283a24
SHA1

ea7441aa62b9ed9bbf77850793f6575d64fadc24
SHA256

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397
SHA512

ffe6b615d0f304a1a7cc9e65415a8bb0302c672431ebbe5b2fec44f77baef0158170e7d03e3d0413fe1bbc61e99a7de7adea13dd8466ba152bd55d6c549f8f84

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Modifies system executable filetype association 2 TTPs 22 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	acprotect

Drops file in Drivers directory 46 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Loads dropped DLL 1 IoCs

Processes:

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

pid process

384 1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\E:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\T:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\M:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\G:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\F:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\S:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\U:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\V:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\N:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\J:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\J:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\O:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\M:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\M:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\G:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\F:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\J:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\R:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\M:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\Q:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\M:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\K:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\P:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\S:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\Q:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\F:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\W:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\K:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\N:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\O:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\Q:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\P:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\W:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\N:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\S:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\G:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\E:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\T:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\Q:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\O:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\W:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\E:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\G:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\N:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\X:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\T:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\X:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\W:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\X:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\L:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\O:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\R:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\I:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\G:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\L:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\X:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\I:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\S:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\I:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\P:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\J:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\V:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\H:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\V:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Drops file in System32 directory 1 IoCs

Processes:

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

description ioc process

File created C:\Windows\SysWOW64\ftp33.dll 1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ftp33.dll	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Modifies registry class 22 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pid	process
384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1356	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
848	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1596	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1728	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1656	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1992	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1264	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1440	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1448	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1900	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1336	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
484	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1224	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1636	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1936	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
624	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1792	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1764	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2008	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1988	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

pid process

384 1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
"C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:624

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
23⤵
- Drops file in Drivers directory
PID:1508

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
3ec6d37180f29dba5b70706fc01628c1

SHA1
68ddbeeb90ea4fe471516a64e79307ac0b6ed0c1

SHA256
d2bade0eb6b3146db5bf81a5b1923565f8c3b2c3254c93a67fbfad4ca9503b30

SHA512
04a261d38fa7d8723657eeb2dae7ee297d8fdc2bf12698f4ec4391e887a027ac270bc403407c71a260060402c9a1528d853fcb8c14fef492ef14bd6124edfaa4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
92a3947304204421ceb8c39a2620a5ef

SHA1
13b334de40b79904fea0f10c60241a25ee00de97

SHA256
473a54b888c9ecacfad6deee6f1b603ff4fcca4178352db959a87d693492e34b

SHA512
0ff6d548e67be7b3eae6fe5babc0ac71891504511a8cb63f1954179282869617dfcef515160d922d309d5d5f50aa638c1ad1fbb483290a9660e18e30c775351e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
3bb026a4bd60841910a6d6a719265f7d

SHA1
3b9f9d545834be35f1b5dbda0c2b65f6a7fdaad2

SHA256
4eeddbac8c2d7a923e213a7b95cdbcb3a5ba6798e968537a64e73947d0960c18

SHA512
8f78340d796cc32c7bbf5ef19a96ea861ce848abeec828321593a860f325a455693d0720f2db2af9932deaec33ccfb261c5383112b6cf56aa7e4aaf1522b08bb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0a444c2fca1c8b965f93faf6d32434d9

SHA1
545054fa168a6af756a3fab12edc12e28198f247

SHA256
d87d5edd62fd19aeb83cc45768fc7a7d72ce5e3f2b0953a298092616c0e02a30

SHA512
e839cf42002b41e428b8abc6188e0312a755a0060df57449774e5710cdb03c96aef641ddaac11cbb3f2a42c52938c003cde89471e9e29747deb220b8fa274871

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
621a4fc6377a6435f1ebd31fee6ca0ca

SHA1
9912436d4fe19107daa375c1e27c762688dec99b

SHA256
fdbfed2991bb50c728e8826ec61fb73d5f1a779a60e448d3fb34cd73473cfa0c

SHA512
e26dbf080576438aad981887a16bffabb26ddf79a9d0df6d4c74da487c3500438a0ad902a3651464048a071fbff3bc98da89bfdc7eba0f12d3953e5112733a18

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
be730a5373d01e34024e9b1ed4365010

SHA1
9ed3a656d45b0e81e566ad14626f9b8684ca081a

SHA256
bc93bc29707378d16e2fd52d7442823722ae0777802009fbdbfb2652e1302579

SHA512
3f60dde42d5ef2b09a5d4fa86182743b765e91865718f555d1f22a087ff0ea9d0e35be7e230ebaed796443b14152ed7270059b5f772d272dd60b7a3ef444d5c3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2363165419c37d80d12d3968b8f67bb7

SHA1
03b7810fbac083a836f72dfd472d7fb3bb1664b9

SHA256
4f4faba9aa11eea50bcb5234ea5e5c6d60b736eced93dea2cfc26543433bfe1c

SHA512
736c544e19f91e791e6c4238a46b5327f77a2324e7e360a52463b9d0835346632ddfaa219545a6938f6cdec4d7b3571d63a9f48229129332841e80c810d8bdff

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3ab57a327bab6d1a44d1c542517df47e

SHA1
5553ac15ccf098e0d355b310ab01837d292db0c1

SHA256
cc2e7d30474687435ce12908d7ccae76c6bc15d651a88a51feb18b6ad8c7f458

SHA512
c1ef7c5b2fe8dad0a317dbd9163ae07276ef12e313b6fff6f2bd56257ee4985908d8b71d4a5e18bacd780c0e052fc28b39281d2b8f02bb73a94bb9031314a6ed

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e904378f208507e0d0540781b41e6f65

SHA1
bc265cbc66e67ba097b8691f9f2ebef6659935b8

SHA256
dfa07f28842921eb1fb947ce1f29b4f49297ef86743a9e2db64ad8a9baafcd7e

SHA512
35e8767a5f04800a6b516ac65e5e335add078ad58f64313787f8105eeef524e56173448724a3e953c3aeb6a2e395375307b7c1af9d76cce9e35240493ecd0c51

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
274dac1dd33e03886f98232a7fcb023f

SHA1
4be611e2670bb4e9e1678266f05ed16645b61404

SHA256
82e10e82674295b1c02a53fae8b55860b397d9934ad9ddff8520f0189796056f

SHA512
04603712d2d257c7baa9111fb79f3f841bb17fa70951f19c14af20d06e13e8f2332e689a4d52d4eb67284b24c84232374fa83d7d082437ace84e68da4062aa99

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d2d752b6bf13c7e3796d6660ef091d26

SHA1
f069f6280045d798d89582c48cff46086b858d53

SHA256
ffb238b7547a5f975b7f7a9d5c53f558c8e48b8f45e4a0f4b93b6b1db1eee0e0

SHA512
56e637686bb28be5388f851081efcd919a697fd038b266e9df41759a5b9bb71f72559ff26b143b29df63324d6a50f5d35919720a8dab2a9e0ac8a8ecc64c1ed7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9519509222e37c4dc983839e33e3095a

SHA1
366ae6745923820cf9e7652daef498b91d237869

SHA256
77c60d1066e7ba83958cf482e932b0db5908c85abef08d4e49537d3ba30c241a

SHA512
b4087694d19e162c5fed03f429a2a6c68c0d8a6981c6c250a070b628029bb065fc8810d07f83df7065e1c55e3e71f836e9f84f75b08bf264e557fed591b44db8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9a6fc202cdf4cade63569832b12341e9

SHA1
cb09b9c9d7c976d2ad41367c881bfc7689a6263a

SHA256
d3d47ba64a8271113cf43b2cc9b0be741d269d8af46119d48f0b9ce0581ee54c

SHA512
6f35e54a5ef90a5c2a6dcdfc5b59bb7535fafdedc2b394e8b64c28e66047dd7dff568b0382ca7baf91e86aba7d4b3403754ba8bf9be9bff758fb3127371eae9b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
088d1a851122e2d9ab9be43eee1d2609

SHA1
80d02edd0a6402b500f539f2a5126327f479a5ec

SHA256
669d3759d0a64ba60a45197a00cee4dc9b0f6a60da51cd252f096052e96b15dd

SHA512
3face5b7ed2ea8e5ef04cc11ca0679023226badb00eca93b1f19e672c5738c7175dba145387dc87139ca25101930f37608ca0f87734f667e6d85d79edd5122da

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
91bc56e682595b0d3485c22eb50aaad0

SHA1
7aa193b1c7a8319abae2770b1ab89c14b67bc899

SHA256
4661686c86a9e8ebb46bec15ad2f2289aafe31e32a578b29da7b9bae2cb07e8a

SHA512
e619e49b8d9274fff3d31fc4486a7d728255461c6c52541bbf95d4bd98fa044838d4613f727079281ed200d000fbd054a7844c6ce6bab4283dd4260325e381ae

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8cbaea2c619996271adf41b171c654e4

SHA1
963fd1b2b449aa7ae3d410a06f4088555a930d4c

SHA256
33e3d8784b630c41bdc8eaad218c5a0b5c5006604d349fadc55a379f9337748d

SHA512
a9fa4a079bdd6c72608865d2b251f6a076aecb2e833d67b95c706db741a18d1c02e2eed62f93e458a4d38e1d60c9152617df100e24b841829485ca48a5a30556

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d9d8703a99e402d1a8e0dee629575ea1

SHA1
fba01a9e2caa9dcfcee6fc0e00a76eb15478012d

SHA256
dfd6a2228a30e1eebda0152af3cc48b0b90460c075178e4b142b99eebbafbd9b

SHA512
002ffeefb07a026eeb98e2267afda44a979110c3b540a15b941cbf90edc284f673cb59628cf377a7dc2ba0947260471cf144e8e2a1209b16f55804595a87b382

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
054870b985a2afe7f2db01b46c20fad6

SHA1
4283818dad2ebc7a22f2973ca87a21c1f1f0ad83

SHA256
5ac0d94d9f6a39c44c8ce78cf09179f5ac11fe751bc66e44f7cab4c19281713b

SHA512
7a8b01381b3a83c52318f915a6af999ed88508a25818603f4a0db2d42958d7c7c3210493d83d3041ca18f712cf9ba5ac04779e227ed128f15855e2ace511cabf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fe89692fc8ead1fd7a212e6824ed1e5b

SHA1
e63a4289cb25a1c3c564dbcec815a4c175d22f27

SHA256
11220ec020940af4e642edf57687c1c4db4cf213df47dd532c5180b613995f6d

SHA512
100ef84b4989000cf0a750575ec6aab2789bf7cf4a2857fe9891a87052cca39d41b5486a02ff02d0493643c39f6d2b61908fdf596e3e465248837eac60b9dda5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
52f583a70cab2d46452b32e571f084b8

SHA1
5978ffc334722604d6177dbce72982d794f5b9a1

SHA256
31ca5b33c50025ce0b7c87769853817b2508194e90a52a2dc1d0b437cae65c5b

SHA512
8468d0e2d01c8898644d941171aff4f3e0367a45cd989d483c693306c406017f7103d7056a2cd6675f55a5579bb5a3a6e8401f124729711cf5345d0707b82003

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d3bdbdb62f81151a1822fdacd039cb3b

SHA1
ebaf80f01e62a7c15a9f2c7fd7ec702e458216b1

SHA256
df5fd46726dab521c38740571299eefd2a08f09fc6e0040c01b5f249670d8130

SHA512
75bfb8875f13d328848cb5959b4a995e1966aa7c7533134d0999f5c47fcaae7568b8ac2c5f56049f8ed3968668fc5aba80739fecd6e53b74d4468c6490f00314

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3c0c170764c2046f5c5c405df5d8349f

SHA1
2900688b164bf68435ae5073fb50fb423b7e229d

SHA256
f8aba941d4d573e0b11c69233cba06aeea19eb38169bc5845a31c1791160a63e

SHA512
712603ba660ac1f4bf1ecdbe9d990fc3acf4d337f251db8106662423cd93f7e92d31d3d304c2721437017b07efb001e07a4ae7e3ddb89ce4d7ff035400119ee4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e4c346d99c2c8eaed852b00b81dff37b

SHA1
237b3541482e645181ee632fab26a9e7526630de

SHA256
af74bc7bf1974587a6602479fe695356a5b70ce93999fc7f7b8af026c29d8d75

SHA512
bffe0ea1448a98d73b21dc9a3253798c1baa17bf8aab876d1e4409e3694b452631569e899729004d70cdc42753b588281b034654432daaafebeb87e86d4ca1bf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f37675b13b4739b50b84af8856024e77

SHA1
e3587d5dc01bba50806500137224a17d07479ceb

SHA256
2d7d83230f603a9886af6d98063b824b0e501f7cb50ae5b6c0a3007db0c7a5ea

SHA512
2f4b1a0a3150eca39605ed3579fed7ef4b4e76d5ff57c74a265d7d4387751b43b9009c1be76bc8a280ed6a68a45b4945b43d9469f56788869cddf66288a853c9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
61546eb6db7219fb064cd64da6ec7da6

SHA1
a14e884009a20e85ab3ca99f931d8cede348bc77

SHA256
a178cd562b86c71ee9315c7fd1cce7241c3a7de8fcdcb8afe7c0f194210e7b5b

SHA512
57ef3e40cb94101d126b990954da5d6189dc65b1b2dfd2aa3f62e3741862cf6a5c785efc41fd38487310ddddefe13bfc4d7a1846fe09cf0637d5e17dda516f77

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/384-61-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/484-123-0x0000000000000000-mapping.dmp

Download
memory/624-143-0x0000000000000000-mapping.dmp

Download
memory/848-68-0x0000000000000000-mapping.dmp

Download
memory/1224-128-0x0000000000000000-mapping.dmp

Download
memory/1264-98-0x0000000000000000-mapping.dmp

Download
memory/1336-118-0x0000000000000000-mapping.dmp

Download
memory/1356-63-0x0000000000000000-mapping.dmp

Download
memory/1440-103-0x0000000000000000-mapping.dmp

Download
memory/1448-108-0x0000000000000000-mapping.dmp

Download
memory/1464-93-0x0000000000000000-mapping.dmp

Download
memory/1508-168-0x0000000000000000-mapping.dmp

Download
memory/1596-73-0x0000000000000000-mapping.dmp

Download
memory/1636-133-0x0000000000000000-mapping.dmp

Download
memory/1656-83-0x0000000000000000-mapping.dmp

Download
memory/1728-78-0x0000000000000000-mapping.dmp

Download
memory/1764-153-0x0000000000000000-mapping.dmp

Download
memory/1792-148-0x0000000000000000-mapping.dmp

Download
memory/1900-113-0x0000000000000000-mapping.dmp

Download
memory/1908-60-0x0000000000000000-mapping.dmp

Download
memory/1936-138-0x0000000000000000-mapping.dmp

Download
memory/1988-163-0x0000000000000000-mapping.dmp

Download
memory/1992-88-0x0000000000000000-mapping.dmp

Download
memory/2008-158-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 384 wrote to memory of 1908	384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	reg.exe
PID 384 wrote to memory of 1908	384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	reg.exe
PID 384 wrote to memory of 1908	384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	reg.exe
PID 384 wrote to memory of 1908	384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	reg.exe
PID 384 wrote to memory of 1356	384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 384 wrote to memory of 1356	384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 384 wrote to memory of 1356	384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 384 wrote to memory of 1356	384	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1356 wrote to memory of 848	1356	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1356 wrote to memory of 848	1356	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1356 wrote to memory of 848	1356	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1356 wrote to memory of 848	1356	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 848 wrote to memory of 1596	848	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 848 wrote to memory of 1596	848	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 848 wrote to memory of 1596	848	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 848 wrote to memory of 1596	848	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1596 wrote to memory of 1728	1596	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1596 wrote to memory of 1728	1596	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1596 wrote to memory of 1728	1596	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1596 wrote to memory of 1728	1596	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1728 wrote to memory of 1656	1728	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1728 wrote to memory of 1656	1728	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1728 wrote to memory of 1656	1728	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1728 wrote to memory of 1656	1728	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1656 wrote to memory of 1992	1656	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1656 wrote to memory of 1992	1656	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1656 wrote to memory of 1992	1656	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1656 wrote to memory of 1992	1656	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1992 wrote to memory of 1464	1992	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1992 wrote to memory of 1464	1992	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1992 wrote to memory of 1464	1992	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1992 wrote to memory of 1464	1992	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1464 wrote to memory of 1264	1464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1464 wrote to memory of 1264	1464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1464 wrote to memory of 1264	1464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1464 wrote to memory of 1264	1464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1264 wrote to memory of 1440	1264	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1264 wrote to memory of 1440	1264	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1264 wrote to memory of 1440	1264	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1264 wrote to memory of 1440	1264	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1440 wrote to memory of 1448	1440	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1440 wrote to memory of 1448	1440	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1440 wrote to memory of 1448	1440	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1440 wrote to memory of 1448	1440	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1448 wrote to memory of 1900	1448	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1448 wrote to memory of 1900	1448	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1448 wrote to memory of 1900	1448	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1448 wrote to memory of 1900	1448	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1900 wrote to memory of 1336	1900	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1900 wrote to memory of 1336	1900	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1900 wrote to memory of 1336	1900	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1900 wrote to memory of 1336	1900	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1336 wrote to memory of 484	1336	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1336 wrote to memory of 484	1336	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1336 wrote to memory of 484	1336	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1336 wrote to memory of 484	1336	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 484 wrote to memory of 1224	484	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 484 wrote to memory of 1224	484	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 484 wrote to memory of 1224	484	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 484 wrote to memory of 1224	484	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1224 wrote to memory of 1636	1224	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1224 wrote to memory of 1636	1224	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1224 wrote to memory of 1636	1224	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1224 wrote to memory of 1636	1224	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads